SUKHVINDER HARA
MIDDLESEX University, The Burroughs, Hendon. NW4 4BT
Abstract - This paper focuses on the development of two
Masters modules (Evidence Management and Digital
Investigations) by an ex-digital investigator. The modules provide emphasis on the practical application of case management and exposure to technical investigations using industry tools.
The syllabi have been designed so that students apply their skills in a practical manner from taking part in realistic digital crime scene searches where they apply investigative skills dealing with suspects to imaging computers with different operating systems and mobile media.
Throughout the modules the students are provided with numerous scenarios that have realistic data sets so they can find weighted evidence and produce evidence with accurate reports.
The incorporation of industry tools other than EnCase and FTK provide students with experience of conducting decryption, email, Internet and mobile investigations on these datasets.
Key challenges were faced when creating data sets for students.
The datasets could not contain sensitive or viral material; therefore an investigation of content had to be carried out prior to student use.
This lifecycle experience is vital for all students regardless of their prior educational experience, so they become professionals that can go into industry and become functional members of teams. 1.
Introduction
This paper discusses the development of two digital forensic modules by an experienced digital forensic investigator from a law enforcement background.
The experience from industry has been significant in designing the modules so equal weight is placed on industrial practice and academic demands.
The syllabus of each module has been designed to reflect the training new investigators receive in industry. The two modules concurrently emphasize the importance of evidence and case management together with providing proficiency in technical aspects of digital media and investigations.
This provides students with accurate and current working practices. It also highlights how investigators work; liaise with investigators from other agencies and other sectors in industry All aspects of working with and in inter-disciplinary teams are dealt with, highlighting the varying responsibilities digital investigators have.
The syllabi provide a clear indication to those who are involved in the teaching of the modules and those who are being taught. The module learning outcomes provide students with an indication of what may be assessed later.
By setting this clear expectation of the material that has to be learnt, it addresses the expectations students have in this subject area. Students often misunderstand what digital forensics involves, and place more importance on the practical component of the subject rather than on the importance of the auditable documentation and reporting.
In the paper the benefits of providing students with a complete set of forensic tools to analyse a variety of datasets is discussed, together with enhanced employability prospects.
The creation of datasets is discussed together with obtaining datasets that contain suitable learning material.
2.
Digital Forensic from an investigators perspective
Digital forensics is seen as a desirable career, which has been popularised by many television programmes and documentaries. The processes and procedures displayed in these often breech the acceptable practices that are currently used. The area of digital forensics is growing; this advance is spurred by the integration and use of digital devices in our daily lives [1]. It is a discipline that now is present in sectors such as heath, finance, law enforcement and in the corporate sector. This increase and demand for investigators has seen this discipline being offered in numerous universities.
In this discipline Digital Investigators analyse digital media methodically to discover potential evidential data without changing data attributes such as dates and times on the original media. Digital Investigators use techniques that gather evidence for it to be presented in court.
This information may be: Easily discovered – usually still present on the media in its original format
Deliberately concealed – it may be hidden within other files, in non-partitioned areas; file extensions may have been changed. Often users want to conceal the identity of the file or prevent others from accessing or seeing it
Deleted – Information that the user has deleted through normal or deliberate use. The file may still be present on the disk in its full presentation, or
may only show partial information. Even partial information that has been forensically recovered has legal credibility.
As data stored on digital media and cannot be visually seen, it is made accessible by using a variety of forensic software and hardware.
Alongside the investigation Digital Investigators ensure they maintain a documented chain of continuity when it comes to evidence movement and document the processes they used in their contemporaneous notes.
Digital forensics draws and applies techniques from other corresponding areas such as criminology, law, forensic science, audit and business [2].
It expects students to assimilate these skills and apply them to the investigation at hand. This adaptive style provides longevity an in career, as long as reputation, knowledge and investigative skill are maintained. The highly competitive sector advises investigators to follow the Association Chief
Police Officer (ACPO) guidelines [3]; breach of these guidelines can reduce credibility and employability of an investigator. Investigators in this field have varying technical skill sets but all investigators need to develop investigation skills to discover information.
3.
4.
Industry preferences
The digital forensic sector prefers students that not only have practical skills but have the ability to question processes, procedures and offer alternative solutions.
Students are required to have mastered what evidential continuity and integrity is by realising the consequences if this is not maintained in terms of impact of loss of evidence, client loss, reputation and revenue.
There is a need for students to understand the importance of documentation and writing unbiased reports tailored to audience needs.
From my own perspective as an investigator, these preferences are expected from students who complete programmes at this level. This difference in expectations has seen students in forensic positions complete training courses before they are permitted to handle evidence and begin processing it.
However the reality is that academia provides the learning steps to ease the transfer of students into employment, rather than providing training to become fully trained investigators after completing the programme [6].
These differences in expectations can be dealt with to a certain extent by providing modules that have a practical emphasis on skills required for industry.
Key considerations before syllabi development
5.
Before the syllabus and learning outcomes for each module were formalised, there were a number of factors that influenced the module syllabi.
Consultation with forensic colleagues in various sectors identified key skills employers currently perceive as important. Employers placed a higher value on team working and practical skills that would allow students to be functional members of teams.
To successfully educate and train students, forensic software and hardware was required. By utilising industrial forensic knowledge, software that was used in commercial and law enforcement agencies was purchased. This would allow students to gain experience of different investigations using industry favoured tools.
It was deemed necessary that students should experience the complete cycle of forensics, and be able confidently carry out each stage of an investigation, which in turn would improve their employability.
As digital forensics further develops the variety of skills students may already possess, the modules needed to take into account how pass on investigative skill and techniques.
Thought was also given to developing material for varying abilities and experience in a segmental method. This modular approach would cater for all abilities and investigators who seek academic qualifications or for continuing professional development. It was essential the modules had forensic content, rather than placing more emphasis on computer security [4].
Reflection on team work and co-operation
The syllabi of the modules have been prepared to teach the technical and the procedural elements, whilst also preparing students to use soft skills to effectively teams.
From personal experience of this industry, it is often found that technical skills can be taught but teaching participation and working in teams is more difficult to do.
In both modules there is a strong emphasis on how to manage other investigators, delegation of caseload and how to listen and take instructions from other colleagues.
Students are also taught how to manage forensic contractors and their obligations by using contracts. Even though contracts are often written by legal teams, investigators provide input on what they expect and on terms and conditions. A few of these may include rates of pay, whether contractors are required to provide statements, dealing with conflicts of interest, whether contractors securely transport evidence, which forensic tools are to be used and certification requirements. Through this exercise the responsibility of the investigator is clearly conveyed when managing non-technical teams. This is especially vital when dealing with media, as it needs to be dealt with in accordance with its technology or investigation needs (live investigation of media).
Even though there is the need and expectation to work with others, often digital investigators work by themselves to complete case loads. This is highlighted to students by providing images of hard disks that take considerable time to analyse. 6.
Additional factors that influence syllabi development
The resources that were made available had considerable influence on the syllabi, as this meant different types of investigations could be taught.
The secure forensic lab was equipped with workstations loaded with purchased software (FTK, EnCase, NetAnalysis,
Aid4Mail, Tomtology, Paraben software, PRTK as well as other products).
The programme itself was designed to be delivered over twenty four weeks, with option to run in block mode on demand. Inevitably the syllabi had to be designed for each delivery method.
By developing material in units, it could be tailored to meet the delivery mode, technical ability and as additional learning material. Various types of material were created to provide variety in learning.
As forensic imaging and other processes can take some time to complete it was decided that on the twenty four week programme the material would be delivered in three hour slots. This would allow the flexibility of combining lectures with lab session or concentrating on one of these. The benefit of this method is that students would have more time to absorb the material and have adequate time to conduct practical investigations. 7.
Data creation
Creating realistic data sets is a difficult task. It is a laborious process, where data has to represent a particular crime scenario. Consideration has to be given to the time period, file attributes and metadata. Information has to be inserted in areas of a hard disk students would not anticipate (master boot records, partition areas, marking additional bad sectors).
The dataset has to be accurate and mimic the usage of a user.
This provides students with a problem based learning experience [6]. This sharpens their investigative skills and further enhances their technical skills on forensic products.
Although creating hard disk of data is difficult, creating other datasets is far easier.
The repository for the postgraduate modules contains DVD-ROMs, Navigation units, USB drives with investigative data. Single file types of data can also be created, for instance email data sets or false web mail data.
For Internet investigations accurate experience is provided by analysing hard disks, although relevant files can be exported for analysis.
Investigation experience on mobile phone is provided by either analysing my store of personal phones and students personal SIM cards. This ad hoc approach does provide students with the experience of this data type.
Ideally, if the nationwide forensic repository programme is realised, it would be beneficial to those who need a variety of investigative datasets to facilitate learning.
Since this is not the case at the moment, there are online resources for training forensic investigators where a variety of datasets are available. This does however require teaching
staff to be able to technically investigate the datasets for unsuitable material and relevance for their teaching.
8.
Development of syllabi
To begin this process substantial reliance was put on personal industrial experience, working practices and training methods. As when training an investigator greater emphasis is placed on practical training, as experience has to be first hand. To design the syllabus for each module there were questions and thoughts that were contemplated over, specifically How junior investigators are trained and apply this to practical work
Creating a syllabus that places emphasis on a practical work with relevant training material
Designing syllabus topics that would cover a range of technologies
Reasons employers would consider employing students Providing the true digital forensic experience
What are other postgraduate forensic courses are offering? To create stimulating learning experience and depart sufficient knowledge for students to be employable, a substantial period was spent addressing these points.
An exercise was conducted to investigate other forensic postgraduate programmes at this level, this had threefold objective: to create a competitive programme, secondly an indication of forensic tools that are currently being offered and thirdly this process was used as quality assurance exercise, as there is no nationwide standard for forensic curriculum development [7].
The results of this process indicated that the variety of purchased forensic tools would provide more varied educational material and industrial experience would show how these applications are used in an investigation. A concept that needed to be delivered to students was that most digital investigations are conducted with a number of tools to check validity of results as this is considered good practice.
The topics within the modules have not been based on other universities; they have been based on how industry trains new investigators specifically in law enforcement. By applying tried and tested methods that introduce concepts which are reinforced with practical experience; the main difference in training students is they have an academic year to learn digital forensic, whereas a trainee investigator may only have a few months. Both modules run concurrently together which facilitates learning of correct procedures and identification of practices in the correct order. This enables students to maintain good practices from the start.
The table below shows a selection of syllabus topics for both modules. The table does not represent teaching order.
Digital Investigation and technology
Evidence management and forensic processes
Core investigation skills
Investigative guidelines
Forensic Imaging
Evidence, Exhibit, Chain of custody, contemporaneous notes Forensic Investigation
FTK
Digital processes
Forensic investigation
Encase
Digital forensic tools
Email investigations
Forensics laboratory requirements Internet Investigations
Forensic hardware kit
Decryption tools
Document control systems
Investigating devices with GPS technology
Preparing an investigation
Investigating mobile devices, IPAD and
Smartphone’s
Incident methodology
Investigating and analysis of operating systems Industry guest speaker
Industry guest speaker
Digital crime scene requirements Crime scene simulation
Crime scene simulation
Digital evidence production in electronic and paper form
Evidence collection and seizure e-Discovery
Evidence management
Secure technologies and digital response to these
Documentation
New Emerging technologies Digital evidence in court
Specialized forensic
Disclosure: impact on areas – social network investigations and case analysis, audio forensics
Table.1. Selection of topics in each module
The modules have been designed to teach and guide students to confidently deal with media practically and in management of it. In the practical component students’ knowledge is built up from the fundamentals of identifying cable and pin types to the re-assembly of media components (computers, laptops and net books). This assists students when they remove hard disks to image, or if they have to install components to image from a suspect machine.
Students are exposed to the techniques users employ to hide data in a variety of operating systems (Windows, MAC,
Linux and UNIX). Further experience is provided in imaging and accessing hard disks with encryption. Disk reconstruction from images is also taught, showing how investigators can investigate re-created working systems.
Throughout the technical training students are taught how to make effective contemporaneous notes and how these are used to create reports and their use in court. In all practical investigations ACPO guidelines are used and their limitations are also discussed.
With the substantial practical knowledge student’s gain by investigating and solving datasets scenarios, the students are made aware of the damage that can be caused by misuse of technical expertise [8]. However, students are advised to learn and experience all aspect of digital forensics as great importance is placed by employers on education, certification and training [9].
To provide a comprehensive learning experience both modules simulate a crime scene session. Here students apply their skills to conduct and secure a location at the university.
Students work in teams to reflect roles in a search and deal with suspects and digital media. This strategy is useful to reinforce continuity, contemporaneous notes, ACPO and search techniques. It is usually in this simulation students feel the pressure of this exercise and fail to follow certain procedures, which in real situations could invalidate an operational search.
By using the Lecture, Exercise, Apply and Feedback (LEAF)
[10] framework feedback is provided from observation of this exercise. This exercise highlights the importance of procedural steps in terms of management, responsibility issues and how different media is seized and dealt with.
Substantial time is spent with students to teach how to prepare for an investigation. This includes how organisations liaise, effective intelligence gathering and hardware requirements. Students are taught about the differences between commercial and law enforcement investigations in the context of seizure of evidence and covert operations.
As well as covering the traditional areas of forensics students are given the opportunity to see more specialized areas of investigation such social network analysis which is growing area in forensics.
The topics of the syllabi area generic in their description and have been designed in a manner that to allows new material to be included.
Revision of any material may also take into consideration of comments and feedback from students regarding the material or delivery of the modules [11].
Colleagues from both law enforcement and the corporate sector are invited to speak to the students. This provides students with the assurance that the content they are learning is accurate and the procedures which they consider as mundane are necessary in this discipline. The visits also highlight the different working conditions and expectation of employers in the two sectors.
9.
Further development
It is important to recognise how the field of forensic develops in-line with new technologies and media types.
Therefore it is prudent to review the syllabus of each module to see when it needs to reflect these developments.
Further improvement to these modules can be made by creating the additional material for each topic in the syllabus using podcasts. This would provide extra material and exercises to deliver advanced concepts in bite sized portions.
This material could then be accessed by students online for learning. The collection of podcasts could be used by those students who want deeper understanding of concepts. A library of podcasts could be built into considerable learning tool and this concept could be used by other colleagues, who could also contribute to this.
It may also be possible to arrange for students visit to forensic units, using industrial contacts for students to see genuine working environments.
10. Summary
The concepts behind the development of the syllabi for these modules have been presented in this paper. The emphasis on the practical component in these modules has been done with considerations to the academic framework.
The paper highlights what investigators in industry are looking for in potential employees. By providing students the chance to gain these desired skills will place them in very good standing for employment.
The incorporation of the forensic tools has provided students the opportunity to gain experience in using these for an academic year. These skills can be formalised further by students if they proceed to take vendor exams and gain professional certification.
11. References
1. Etter, B. (2001). The forensic challenges of e-crime. 7th IndoPacific Congress on Legal Medicine and Forensic Sciences,
Melbourne, Australia
2. Irons, Alastair, Laing Chris, Anderson, Phil. Pedagogic innovation in teaching computer forensics from 7th Annual
Conference on the Teaching of Computing http://www.ics.heacademy.ac.uk/Events/HEADublin2006_V2/pap ers/Alastair%20Irons%205.pdf
3. ACPO Good Practice Guide for Computer-Based Electronic
Evidence
http://www.7safe.com/electronic_evidence/ACPO_guidelines_co mputer_evidence.pdf 4. Gottschalk, L., Liu, J., Dathan, B., Fitzgerald, S., & Stein, M.
(2005). Computer forensics programs in higher education: A preliminary study. SIGCSE Bull. 37, 1 (Feb.2005), 147-151.
5. Beebe, Nicole Lang, and Jan Guynes Clark (2006) “Digital
Forensics Curriculum Development: Identification of Knowledge
Domains, Learning Objectives, and Core Concepts,” Proceedings of the Twelfth Americas Conference on Information Systems,
Acapulco, Mexico, August 2006.
6. Schwartz, P. Mennin, S,. and Webb, G., (2001) Problem Based
Learning: Case Studies, Experience and Practice, London,
Routledge
7. Rogers, M., & Seigfried, K. (2003). The future of computer forensics: A needs analysis survey. Computers & Security, 23, 1216.
8. Irons, Alastair. Pedagogic teaching computer ethics to computer forensics students from 8th annual conference on the teaching of computing http://www.ics.heacademy.ac.uk/events/8th-annualconf/Papers/Alastair%20Irons.pdf
9. Stambaugh, H., Beaupre, D., Icove, D. J., Baker, R., Cassaday,
W., & Williams, W. P. (2000). State and local law enforcement needs to combat electronic crime. National Institute of Justice
Research in Brief.
10. Delivery of Forensic Computing Analysis using Effective
Formative Feedback_.Ian Mitchell and Sukhvinder Hara
Middlesex University, UK. http://www.ics.heacademy.ac.uk/docs/IanMitchell.pdf 11. Forensic Course Development – One Year Later, Troell,
Luther, Pan, Yin. Stackpole, Bill 2003 Proceeding CITC5 '04
Proceedings of the 5th conference on Information technology education http://portal.acm.org/citation.cfm?id=1029547
References: 1. Etter, B. (2001). The forensic challenges of e-crime. 7th IndoPacific Congress on Legal Medicine and Forensic Sciences, Melbourne, Australia (2005). Computer forensics programs in higher education: A preliminary study 5. Beebe, Nicole Lang, and Jan Guynes Clark (2006) “Digital Forensics Curriculum Development: Identification of Knowledge 6. Schwartz, P. Mennin, S,. and Webb, G., (2001) Problem Based Learning: Case Studies, Experience and Practice, London, forensics: A needs analysis survey. Computers & Security, 23, 1216.
You May Also Find These Documents Helpful
-
· How did your decision compare to the board’s decision? Why did you make the decision you did? What effect did organizational infrastructure and culture have on your decision?…
- 256 Words
- 2 Pages
Satisfactory Essays -
Each course week begins on Monday morning at 12:00 a.m. (ET) and ends on Sunday night at 11:59 p.m. (ET). The final week ends at 11:59 p.m. (ET) on Friday.…
- 832 Words
- 4 Pages
Satisfactory Essays -
PLEASE NOTE THAT THE COMMON FINAL EXAM FOR THIS COURSE IS FRIDAY, MAY 2, from 1:30 PM to 4:00 PM IN A BLDG & ROOM TBA. You can view the GoSOLAR final exam schedule for common final exams on the last page of the link at http://registrar.gsu.edu/registration/semester-calendars-exam-schedules/spring-2014-final-exam-schedule/.…
- 4458 Words
- 18 Pages
Powerful Essays -
Required Texts: Wahlen,Baginski and Bradshaw, Financial Reporting, Financial Statement Analysis and Valuation, 7h Edition, Thomson/Southwestern. 2011.…
- 1398 Words
- 6 Pages
Powerful Essays -
The purpose of this course is to provide an introduction to global politics. The course is designed to familiarize students with key terms, concepts, and institutions associated with the study of global politics. In particular, it will introduce students to the multiple perspectives and debates associated with key global issues and topics.…
- 2027 Words
- 8 Pages
Powerful Essays -
COURSE DESCRIPTION: This a joint course between Southern University and Louisiana State University. The course is designed to address a multiracial audience derived from the student bodies of Louisiana State University and Southern University. The course will have three major objectives. Students will (1) examine the question of race relations in an interdisciplinary setting to include historical, sociological, political, and literary viewpoints; (2) recognize the genesis, evolution and dissemination of racial/ethnic prejudices, conflicts and tensions as well as the recognized dynamics of interracial harmony; and (3) apply these newly acquired critical perspectives to analyze and compare selected topics and related texts.…
- 1409 Words
- 6 Pages
Powerful Essays -
An examination of the organization and jurisdiction of local, state, and federal law enforcement, judicial and corrections system; their history and philosophy; career opportunities and qualifying requirements, terminology, and constitutional limitations of the system.…
- 3445 Words
- 14 Pages
Powerful Essays -
patterns reflect, sustain and alter social conceptions of gender. We will focus on how we produce…
- 2038 Words
- 12 Pages
Powerful Essays -
This course is an introduction to the various components of the corrections system within the criminal justice system. It provides an overview of corrections, including corrections history, the persons, agencies, and organizations that manage convicted offenders. Other topics that are covered include policy and procedure, sentencing, probation, and rehabilitations of prisoners.…
- 1713 Words
- 11 Pages
Satisfactory Essays -
American Psychological Association. Publication manual of the American Psychological Association (Current ed.). Washington, DC: Author.…
- 827 Words
- 4 Pages
Satisfactory Essays -
Introduction to the communication skills needed in the business world, learned through exposure to mock business situations. The job search is covered, and emphasis is placed on writing business correspondence and delivering business-related oral presentations.…
- 3283 Words
- 17 Pages
Powerful Essays -
SAVE THIS SYLLABUS AND REFER TO IT LATER IF YOU HAVE ANY QUESTIONS ABOUT THE COURSE…
- 3324 Words
- 14 Pages
Good Essays -
Kubasek, N. K., Brennan, B. A. & Browne, M. N. (2012). The legal environment of business: A critical thinking approach (6th ed.). Upper Saddle River, NJ: Prentice Hall. ISBN: 9780132664844.…
- 789 Words
- 4 Pages
Good Essays -
English 1000 is a writing course designed to help you become a more critical reader, a more efficient researcher, and a more effective writer. Central to effective writing is understanding what questions are worth asking and what conventions worth using in relation to a particular audience and situation. English 1000 focuses especially on the conventions you will use most frequently in your academic writing in college.…
- 2187 Words
- 9 Pages
Good Essays -
Welcome to Chemistry 226, your first semester of organic chemistry! Prepare to be amazed as you develop an entirely new capacity of complex scientific problem solving. This course is a fastpaced, action-packed depiction of structure and reactivity of organic molecules. While your chemistry education to date probably has largely overlapped with some biology and physics lectures, organic chemistry is like a unique and beautiful snowflake, arguably unlike any scientific course you have ever had. Do not fear. John Donne penned the famous words, “No man is an island,” and those words will be my governing teaching philosophy in this course. When you enter my classroom, you are entering a collaborative learning environment predicated on mutual respect for our collective learning experience. I believe that it is through not only passive reading and writing but also active speaking and listening that we develop and refine the skills needed to solve the problems posed. I encourage you to prepare for our lectures so that you can maximally benefit from our interactive real time dissection of problems. At the same time, in this mutual collaboration, I hope to benefit from your feedback throughout the course. Please let me know what is working and what is confusing so that together we improve this course.…
- 3561 Words
- 15 Pages
Powerful Essays