Friday, November 18, 2011

My Perfect Forensic Curriculum


It was asked at Mid-terms what we thought of our Forensics Class, and what we would change. Digital Forensics is my passion, and I had A LOT of ideas. At the time I kept quiet because I was considering the question. I have decided to post this as a blog, to allow some discussion and communication on the topic.

This is the description of the class:
Fundamentals of computer and network forensics, forensic duplication and analysis, network surveillance, intrusion detection and response, incident response, anonymity and pseudonymity, privacy-protection techniques, cyber law, computer security policies and guidelines, court testimony and report writing, and case studies. Emphasis on hands-on experiments.

While the overall description sounds like a great class, in reality there is so much information being delivered that there is really no depth what we learn. Keep this in mind, this idea is a long term development, will require funding, and dedication to make this happen. I feel that if you want to be the best in the country providing this education, then you have to make the commitment to decimate the competition.


Intro to Forensics: (Undergrad)
Basically you want the students to leave this class with a solid understanding of the history of forensics, investigation process, and a well-rounded foundation for pursuing the investigation.


Windows Forensics: (Undergrad/grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on. You teach the students the ins and outs of Windows OS, the quirks, the pain points, and the tools to utilize.

Linux Forensics (Undergrad/Grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on.


Mac Forensics (Undergrad/Grad)
Basically you take this book, and you spend 16 weeks going through it. Reinforce what they are learning in class with labs. First few weeks of class they create an image of a PC, and then utilize various tools through the semester to analyze it. You also have a few live machines that you can do live analysis on.


Network Forensics (Grad)
This class is to find an attacker footprint on the network. They will learn to analyze from switches, IDS, Net Flow, pack capturing. They will learn to find Covert Channels, carving logs and packet captures, and correlating traffic and artifacts to find the evidence.


Mobile Forensics (Grad)
This class will teach the student how to forensically investigate mobile devices. Students will learn the process of investigating and handling various mobile devices and the information that is stored withing various artifacts that can be recovered.


Advanced Forensics (Grad)
This class would delve deeper into forensic analysis, techniques used for Anti-Forensics, stenography, etc . It could also be used to define research goals for improving forensics capabilities and solutions. 

This should give the student a dedicated and more complete understanding then just cramming everything into a single 16 week brain dump course. This also requires a facility and resources to accomplish this goal. You will need to recruit the some of the Digital Forensics power players to refine and establish a solid baseline. You will need to have two or three professors who are dedicated to Forensics to teach and develop the curriculum and take the time to invest in training.

If this is done right, you can help fund the curriculum by utilizing the services of the program for the following:
·         Conducting Digital Forensics
·         Provide Training for practitioners
       Data Recovery services
      Technology Transfer of tools researched and developed by University.

  

2 comments:

  1. Somewhere in the program you have to cover at least some portion of Brian Carrier's File System Forensic Analysis book, it is the category killer. Though with EXT4, ExFAT and BTRFS, we should keep our fingers crossed that Carrier takes on the task of writing the 2nd Ed.

    ReplyDelete
  2. Dave, I agree that Brian's book is incredible, I am borrowing my co-workers one who got a copy from a SANS course. I think it would fall somewhere in the advance topic and deal with nothing more then File Systems..

    ReplyDelete