i n t

e g

r i r

a n

a

s i g

u r

n o

s t

Digital Forensics Education

Damir Delija,

Irena Kukina

Bratislava , 23.9.2012. god.

2 Content

Digital forensics education and training

Relevant IT related knowledge and skills

Sources of knowledge and skills for digital forensics

3

Why education for digital forensic ?

Without training and education there is no effective use of digital forensics tools and methodology of digital forensics

The ability to use different tools does not mean the ability to work reliably, especially from legal point of view

With HW and SW training there is a need for additional education and continuous improvements and keeping up

4 Who needs digital forensics (1)

Police, prosecution, judiciary ...

People there have to understand digital forensics

Digital Forensics Education

5 Who needs digital forensic (2)

IT business is looking for all kind of digital forensics knowledge and practice

6 Who needs digital forensics (3)

Academy needs people who can teach existing digital forensics and who can develop and evaluate new digital forensics techniques

7 Who needs digital forensics (4)

Policy-makers and decision-makers in all involved organizations need to understand meaning and importance of digital forensics and related strategic issues like permanent training and education

8 Digital forensics path

Basic educaion and training • Professionall, technical, legal

Keeping updated • Keeping up tehnology

• Deeper specialisation

• Keeping up with global trends

• Permannet roles, role rotations and duty rotations

• Career path as part of skills improvement

Profesionall and technical certifications • Proof of ability and qualifications

Continuous education and knowledge transfer Part of the job basics and ethics

9 Knowledge Sources

Academy – long term things

• educational programs based on the recognized forensic curriculums

• seminars, technology, research, think-thank

• long-term projects and research that can not be carried out elsewhere

Vendors – targeted training / professional training

• HW / SW vendors with product trainings

• Education for certain forensic and other products, skills

• General training and education based on certified training material

10 Knowledge Sources

Internal, the "knowledge" of the organization - continuous internal education

• Analytics, information about events as sources

• flow of information and use the information as a knowledge

Internet • Digital forensic online resources

Other • Conferences, trends local and global

11 Education and news

Digital Forensics follows the development of computer technology and science, also it follows the evolution of computer crime

New things are coming ....

Problem – how to keep up

Solution – continuous education, but how do it ?

Who is trainer and who is trainee, how training is done ?

Who is initiating a training / education ?

Where are knowledge sources ?

How long it will to fulfill training, how to measure success

• Who train trainers,

• Who evaluate results (and on which basis),

• who evaluate achieved knowledge

How expensive is new knowledge and how expensive it to be “in dark”

12 IT areas of expertise

Operating systems

• windows, linux, mac, unix,

Hardware

• intel, mobile devices, sparc, powerpc, scada, embedded systems

Applications

• sw which users use, even without their knowledge

• in broadest sense, even malware

Networking, network services and infrastructure

• tcp/ip v4, v6 ...

• industrial networking protocols

13 Operating systems - desktops

Windows ~ 75%

Linux ~ 3%

Mac ~ 12%

Windows XP (35.21%)

Windows 7 (31.21%)

Windows Vista (11.27%)

Mac OS X (7.31%)

iOS (3.38%)

Android Linux (1.30%)

GNU/Linux (1.11%)

14 MS Windows

15 MS Windows • win 3.11

• win nt, win 95, win 98,

• win2000

• win XP, win 2003

• vista

• win 7, windows 2008

• win 8

• windows mobile, windows ce

Each windows version something new, different and undocumented, a bit of nightmare

• directory structure

• where are OS files, registry, configuration files

• HW platforms change (intel, alpha, powerpc, arm)

• File systems (FATxx, NFTS, exFAT)

• and all other artifacts recycle bin, print spooler, backup, index, mail, vss, browser ...

•

16 UNIX

server OS

rarely or expertly user OS

17 Linux – UNIX derivate

Linux distributions – incredible number of versions, sometimes important differences

OS with various applications

Can be for

• Servers

• Users (desktops etc)

Can be used on

• Mobile devices

• All HW platforms supported

• Embedded devices

• Robots

• And surely I’ve forget something

18 Apple Mac

Evolution like windows

• os 1 .... os 10.x

Different HW

• personal machines, servers

• mobile devices –today mostly

OS versions

• FS system differences

• OS differences path from mac to unix ..

• how data is stored in SQL and PLists

19 Mobile devices

It’s almost self-contained devices

Basically today - smartphones • apple ios,

• android,

• windows

and GPS, tablets, old mobiles and many other things

Various vendors (wars)

Various OS (private and open source)

Various FS, encryption, etc

More exception than rules

Forensic tools not too compatible ... (wars)

20 Smartphones trends

USA, 2011

Today almost same

21 Mobile devices - Android OS

Android biggest one on the market

Version are different, artifacts and tools too

Android versions

Android versions - 2011

22 Network and net services

It is a special part of digital forensics – network forensics

TCP/IP v4, v6

Legacy networking protocols (IBM SNA)

Wireless forensics

Broadband 3G / 4G

Malware analyses

23 Applications and programs

Email clients (outlook, webmail)

Email servers (exchange)

Chat, messengers, voip (skype)

web browsers

• Internet Explorer

• Mozilla

• Opera

• Chrome

Forensic artifacts depends on OS, version, configuration

Which tools can access this artifacts in forensically sound way

24 What is our mission

Continuous digital forensics training to meet our customer needs

Education is customer oriented, based on tools and tasks

At user premises, in our training center or any appropriate location

Consulting in various issues related to digital forensics

25 What is important

Continious learning in • Tools developement

• Evolution of computer related crime

• IT evolution

Feedback from real world what is missing and

what needs improvements

Keep up with tehnology

Keep up with digital forensics methodology

Keep up with legal issues

Certifications

26 Conclusion

Knowledge is expensive, but ignorance is even more expensive (trivia, but true)

There must be system of continuous training

• internal resources are often overlooked and left to fade away

Digital forensics is more important

• It is part of critical infrastructure defense

Because of limited resources

• Cooperation (very, very hard to achieve)

• As simple as possible internal organization

• Career path benefits

27 Questions

damir.delija@insig2.hr

irena.kukina@insig2.hr