i n t
e g
r i r
a n
a
s i g
u r
n o
s t
Digital Forensics Education
Damir Delija,
Irena Kukina
Bratislava , 23.9.2012. god.
2 Content
Digital forensics education and training
Relevant IT related knowledge and skills
Sources of knowledge and skills for digital forensics
3
Why education for digital forensic ?
Without training and education there is no effective use of digital forensics tools and methodology of digital forensics
The ability to use different tools does not mean the ability to work reliably, especially from legal point of view
With HW and SW training there is a need for additional education and continuous improvements and keeping up
4 Who needs digital forensics (1)
Police, prosecution, judiciary ...
People there have to understand digital forensics
Digital Forensics Education
5 Who needs digital forensic (2)
IT business is looking for all kind of digital forensics knowledge and practice
6 Who needs digital forensics (3)
Academy needs people who can teach existing digital forensics and who can develop and evaluate new digital forensics techniques
7 Who needs digital forensics (4)
Policy-makers and decision-makers in all involved organizations need to understand meaning and importance of digital forensics and related strategic issues like permanent training and education
8 Digital forensics path
Basic educaion and training • Professionall, technical, legal
Keeping updated • Keeping up tehnology
• Deeper specialisation
• Keeping up with global trends
• Permannet roles, role rotations and duty rotations
• Career path as part of skills improvement
Profesionall and technical certifications • Proof of ability and qualifications
Continuous education and knowledge transfer Part of the job basics and ethics
9 Knowledge Sources
Academy – long term things
• educational programs based on the recognized forensic curriculums
• seminars, technology, research, think-thank
• long-term projects and research that can not be carried out elsewhere
Vendors – targeted training / professional training
• HW / SW vendors with product trainings
• Education for certain forensic and other products, skills
• General training and education based on certified training material
10 Knowledge Sources
Internal, the "knowledge" of the organization - continuous internal education
• Analytics, information about events as sources
• flow of information and use the information as a knowledge
Internet • Digital forensic online resources
Other • Conferences, trends local and global
11 Education and news
Digital Forensics follows the development of computer technology and science, also it follows the evolution of computer crime
New things are coming ....
Problem – how to keep up
Solution – continuous education, but how do it ?
Who is trainer and who is trainee, how training is done ?
Who is initiating a training / education ?
Where are knowledge sources ?
How long it will to fulfill training, how to measure success
• Who train trainers,
• Who evaluate results (and on which basis),
• who evaluate achieved knowledge
How expensive is new knowledge and how expensive it to be “in dark”
12 IT areas of expertise
Operating systems
• windows, linux, mac, unix,
Hardware
• intel, mobile devices, sparc, powerpc, scada, embedded systems
Applications
• sw which users use, even without their knowledge
• in broadest sense, even malware
Networking, network services and infrastructure
• tcp/ip v4, v6 ...
• industrial networking protocols
13 Operating systems - desktops
Windows ~ 75%
Linux ~ 3%
Mac ~ 12%
Windows XP (35.21%)
Windows 7 (31.21%)
Windows Vista (11.27%)
Mac OS X (7.31%)
iOS (3.38%)
Android Linux (1.30%)
GNU/Linux (1.11%)
14 MS Windows
15 MS Windows • win 3.11
• win nt, win 95, win 98,
• win2000
• win XP, win 2003
• vista
• win 7, windows 2008
• win 8
• windows mobile, windows ce
Each windows version something new, different and undocumented, a bit of nightmare
• directory structure
• where are OS files, registry, configuration files
• HW platforms change (intel, alpha, powerpc, arm)
• File systems (FATxx, NFTS, exFAT)
• and all other artifacts recycle bin, print spooler, backup, index, mail, vss, browser ...
•
16 UNIX
server OS
rarely or expertly user OS
17 Linux – UNIX derivate
Linux distributions – incredible number of versions, sometimes important differences
OS with various applications
Can be for
• Servers
• Users (desktops etc)
Can be used on
• Mobile devices
• All HW platforms supported
• Embedded devices
• Robots
• And surely I’ve forget something
18 Apple Mac
Evolution like windows
• os 1 .... os 10.x
Different HW
• personal machines, servers
• mobile devices –today mostly
OS versions
• FS system differences
• OS differences path from mac to unix ..
• how data is stored in SQL and PLists
19 Mobile devices
It’s almost self-contained devices
Basically today - smartphones • apple ios,
• android,
• windows
and GPS, tablets, old mobiles and many other things
Various vendors (wars)
Various OS (private and open source)
Various FS, encryption, etc
More exception than rules
Forensic tools not too compatible ... (wars)
20 Smartphones trends
USA, 2011
Today almost same
21 Mobile devices - Android OS
Android biggest one on the market
Version are different, artifacts and tools too
Android versions
Android versions - 2011
22 Network and net services
It is a special part of digital forensics – network forensics
TCP/IP v4, v6
Legacy networking protocols (IBM SNA)
Wireless forensics
Broadband 3G / 4G
Malware analyses
23 Applications and programs
Email clients (outlook, webmail)
Email servers (exchange)
Chat, messengers, voip (skype)
web browsers
• Internet Explorer
• Mozilla
• Opera
• Chrome
Forensic artifacts depends on OS, version, configuration
Which tools can access this artifacts in forensically sound way
24 What is our mission
Continuous digital forensics training to meet our customer needs
Education is customer oriented, based on tools and tasks
At user premises, in our training center or any appropriate location
Consulting in various issues related to digital forensics
25 What is important
Continious learning in • Tools developement
• Evolution of computer related crime
• IT evolution
Feedback from real world what is missing and
what needs improvements
Keep up with tehnology
Keep up with digital forensics methodology
Keep up with legal issues
Certifications
26 Conclusion
Knowledge is expensive, but ignorance is even more expensive (trivia, but true)
There must be system of continuous training
• internal resources are often overlooked and left to fade away
Digital forensics is more important
• It is part of critical infrastructure defense
Because of limited resources
• Cooperation (very, very hard to achieve)
• As simple as possible internal organization
• Career path benefits