Transcript Workforce training in Digital Forensics

National Forensics Training Center
“A National Impact for Mississippi State University”
Dave Dampier
Department of Computer Science and Engineering
What is the threat?
 Identity Theft
 Theft of Trade Secrets
 Using corporate networks to launch attacks
on others
 Fraud
 Embezzlement
 ????
History of Digital Forensics
 Earliest notion of digital forensics came when the Federal Rules of




evidence first started to discuss digital evidence in the 1970s
Real digital forensics investigations started in the mid-to late
1980s when federal agents had to start figuring out ways to search
computers for digital evidence
This “home-grown”, bottom-up approach continued until the late
1990s when security researchers at universities and labs started to
figure out that this problem was big enough to warrant
investigation.
Research groups sprung up across the country starting around
2000 or 2001.
The first Digital Forensics Research Workshop (DFRWS) was held
in Utica, NY in August 2001.
Digital Forensics Early at MSU
 Initial work in digital forensics started at MSU in 2002.
 We managed to catch the “crest of the wave”
 Lots of training and lots of research led to first class in Spring
2003.
 Class has been held at least once per year since.
 2003-2006 spent building a “real” capability in digital
forensics.
 Several M.S. and Ph.D. graduates by 2006.
 National Forensics Training Center (NTFC) – Funded
by DOJ beginning in 2005. Trains state and local law
enforcement in cyber crime issues and basic tools and
techniques of digital forensics investigation.
 Introduced more advanced training starting in late 2006,
and have continued to build capability ever since
 Wounded Warrior Training introduced in 2008: An NSF
Funded Initiative under the Cyberinfrastructure Training,
Education, Advancement, and Mentoring for Our 21st
Century Workforce (CI-TEAM) Program
Digital Forensics Now at MSU
 Graduate Research
 Five active PhD students at various stages of research
 One will graduate in December. Two more will likely graduate by next
December
 Eleven active M.S. students: four doing thesis, others doing projects
 Classes are always at capacity
 Introductory Digital Forensics offered at least once per year
 Advanced Digital Forensics offered at least once every other year
 Freshman Seminar Forensics offered each Fall
 This includes all aspects of forensics. Students are exposed to digital forensics
for three weeks in October.
Background on Law Enforcement Support
 Since 2005, MSU has managed a unique and successful Computer
Crime and Digital Forensics training program to support state and local
law enforcement. Feds not prohibited, but not invited either.
 Through varied DOJ Grants ~ $10M has been used to support our
Digital Forensics Training and our ongoing partnership with Mississippi
Attorney General.
 Funding supports an MSU coordinated Forensics Training Center that
trains local and state law enforcement across the US. Provides no cost
training for law enforcement officers, prosecutors, and trial judges on
current technical issues associated with computer crime. About 5000
trained in 34 states.
 Funds a state of the art integrated Cyber Crime Fusion Center (CCFC)
in Jackson MS. FBI, Secret Service, Postal Inspectors, Attorney
General’s Office, MSU cooperate in a Cyber Crime Fusion Center.
6
Law Enforcement Training
 Training conducted at MSU/Ole Miss/JSU/Siller’s Building or at
student’s location when enough students are guaranteed
 Course offerings:
 Computer Forensics Primer
 Introduction to Cyber Crime and Digital Forensics









Practical Training in Computer Forensics
Search and Seizure of Computers and Electronic Evidence: Law Enforcement
Search and Seizure of Computers and Electronic Evidence: Trial Judges
Introduction to Digital Forensics for Prosecutors
Advanced Digital Forensics
Network Forensics
Open Source Tools for Forensics
Commercial Tools for Forensics
Special Topics in Forensics
 Investigation Planning
 FBI Image Scan Classes
 Cell Phone Training
NFTC Staff
Director
 Dave Dampier, PhD
Instructors
 Kendall Blaylock, MS, IS (Lead)
 Wes McGrew, MS, CS, Pursuing PhD in CS
 Sherita Sekul, MPA, Former AG Forensics Investigator
 April Tanner, PhD, Jackson State University
Research Assistants
 Dae Glendowne, PhD Student
 Chris Ivancic, PhD Student
Contract Instructors
 John Fretts, Retired Law Enforcement Officer
 Keith Leavitt, Law Enforcement Officer, Active Forensics Examiner
We Developed University Partners
 National Forensics Training Center
 St Cloud State University
 University of Texas at Tyler
 California Polytechnic Pomona
 University of Washington
 University of West Georgia (Relationship just beginning)
 For Wounded Warrior Digital Forensics
Training
 Mississippi State University (lead)
 Auburn University
 Tuskegee University
National Impact
34 states have at least one trained.
5 states have current training center.
18 host sites have hosted training.
National Impact
 States affected:
 Alabama, Arkansas, Alaska, California, District of Columbia , Delaware,
Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Maine,
Maryland, Michigan, Minnesota, Mississippi, Missouri, New Hampshire,
New York, North Carolina, North Dakota, South Dakota, Ohio, Oklahoma,
Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, West
Virginia, Washington
 Remote Classes taught in:
 Alabama, Arkansas, Alaska, California, Florida, Georgia, Idaho, Indiana,
Maryland, Michigan, Minnesota, Tennessee, Texas, West Virginia
 Currently in negotiation with Connecticut State Police to have a class
Tishomingo
Tippah
IMPACT
Labs/Equipment
 Laboratories
Webster
 Strategically Placed Equipment
Noxubee
 Future Equipment
Adding Cell Phone capability in
more places
Jefferson
Amite
56 of 82
counties affected.
Wounded Warrior Training
Leveraged NFTC successes
Partnered with Auburn/Tuskegee
$1M effort for 3 years
Partnering with Defense Cyber Crime
Center for follow-on training
 Classes have been held at WRAMC;
Ft Benning, GA, Ft. Knox KY,
Ft. Carson CO; Ft Lewis WA,
Norfolk Naval Hosp; Redstone Arsenal,
Jackson VA Hospital, Ft. Sam Houston TX,
and more to come….




Wounded Warrior Training Curriculum
 When we started, we had three tracks of instruction to
accommodate backgrounds
 Track 1: Do not have a background in computing (24 hours)
 Track 2: Good understanding of hardware and software basics
(56 hours)
 Track 3: Those students that need advanced digital forensics
training (40 hours)
 Lessons learned caused us to modify this training to two basic
tracks:
 Track 1 + Track 2 (72 hours)
 Track 3 (32 hours)
Curriculum Details
Introduction to Computers: This three day block will introduce the student to computer
architecture, disk formatting, common software packages, operation of the computer, and an
introduction to computer security concepts (firewalls, malicious code protections, spam, browsers,
audit logs, and accountability). During this block of instruction, students will disassemble and
reassemble both desk top and laptop computers.
 Introduction to Cyber Crime: This two day block of instruction is designed to teach the
student proper search and seizure techniques, data hiding techniques (e.g., steganography, X-box
modification, wireless external drives, etc.), proper bag and tag procedures, chain of custody, and
proper procedures in conducting a forensics investigation.
 Digital Forensics Tools and Techniques: This is an intensive, hands on three day block of
instruction that teaches students the proper operation of digital forensics hardware and software
tools. The majority of hardware and software tools available to practicing digital forensics
investigators will be used during this block. This includes a Forensic Recovery of Evidence Device
(FRED) system, Image Masster and Logicube hardware for imaging purposes, an Airlite forensics
kit, write blockers, Linux/Unix tool sets, Encase forensics software, AccessData’s Forensics
ToolKit (FTK), Coroner’s tool kit, Autopsy, Sam Spade tool kits and others. The emphasis of this
block is practical application of the digital forensics trade.

Curriculum Details
 Business Practices: This block is designed to train the student on the cost of entering
the digital forensics business, programs offered by the US Department of Veteran’s
Affairs that can assist in establishing a small business, return on investment, and pricing
structures. The cost tradeoffs of purchasing commercial versus using freeware are
discussed and advantages/disadvantages of each strategy are presented.
 Practical Experience Exercise: This is a one day “live fire” exercise where students
are required to conduct a digital forensics investigation and demonstrating competency
throughout the entire cycle of events – from search and seizure to evidence discovery
and preservation.
 Advanced Forensics techniques: This three to five days of additional training is
necessary for those that intend to work for the government or that wish to be
independent consultants. This additional week of instruction will cover cell phone
forensics, PDA forensics, Windows forensics, and network forensics.
Success Stories
 PhD student at MSU conducted initial investigation into “Electronic Tribulation Army”
hacker preparing for massive infrastructure attack on July 4, 2009, and as a result, FBI
quickly made the arrest and prevented the attack.
 Columbus, MS Crime Lab up and running with provided equipment and training.
 Lee County, MS Sheriffs Office now has fully functional computer forensics laboratory.
 More than a twenty convictions on child exploitation cases as a direct result of FTC training and
equipment
 Providing backup forensic examinations on fraud and racketeering cases for MS AG’s office
 Oxford, MS PD has convictions on child exploitation cases as a direct result of FTC training
and equipment
 Assisted MS Attorney General by:
 Increasing investigative staff by one
 Helping prepare proposal for Internet Crimes Against Children Task Force
 Increasing capability to handle cell phones and small devices
 Reducing requests for outside assistance through regional labs
 Increased Secret Service (Jackson office) capacity to work cases by providing the laboratory
space in the CCFC
 Some wounded warriors are now working in digital forensics investigative agencies.
Contacts at MSU
 Dave Dampier, Director, Center for Computer Security
Research and Director, National Forensics Training Center,
[email protected], 662-325-2756
 National Forensics Training Center
 Kendall Blaylock
 Wes McGrew
 662-325-2422
http://www.msu-nftc.org