Re: [sleuthkit-users] Building a Computer Forensics Lab
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Building a Computer Forensics Lab
|
From: Alan <ts...@as...> - 2005-09-08 00:04:10
|
Hi Charles, First, let me just say I think you've hit the right field of study. I just graduated from Georgia Tech with a masters in infosec. I have been hired by a federal government agency in the incident response/analysis field, and last summer my internship with the U.S. Senate had an incident response component. I have also gotten certified by the SANS Institute in both incident handling and computer forensics, so my technical forensics knowledge largely comes from those courses. 1. Its important to have a good technical infraustructure for hands-on learning, but its also important to teach policies, planning, and procedures, i.e. an incident handling plan and a forensics methodology. Forensics findings may potentially be used in the legal or a human resources setting and must stand up to scrutiny. 2. I would suggest starting with open source tools such as TSK. They are relatively cheap to set up, and open source so students can review source code. Don't close the door to proprietary products, such as Guidance Software's Encase suite (very expensive but has a large professional user base.) 3. On the forensics workstations, they should be dual-bootable and have large hard drives. Dual-bootable as many forensics tools are Linux-only or Windows-only. Large hard drives to store the large disk images your students and analysts will be working on. 4. Consider Vmware or another virtualization tool. It lets you run "guest" operating systems from within another operating system. For example, I may install Vmware on Windows and make a virtual computer with Linux on it. That way I can analyze live forensics images and do passive analysis simultaneously. For example, I can run a suspected piece of malware on a guest operating system to sandbox it, and then use the same computer (host operating system) to sniff its network traffic. A virtual heterogeneous network, all simulated on one computer Alan At 18:44 9/7/2005, Charles Nwatu wrote: >Hello Computer Forensics Community, > >I am a first year Master's student at Penn State University and my >area of focus is Computer Forensics and Incident Response, I am in >the process of developing a computer forensics lab for the >university and would appreciate any advice and assistance from the >community in terms of recommending commercial software, open-source >software, hardware and infrastructure. The curriculum is brand new >and is in the process of being develop. Once again, any insight or >advice would be helpful, ranging from links, to industry contacts, >to slides, to whatever your imagination thinks is necessary. > >The purpose of the lab, as far as I know are the following: > >1) create an environment in which students can learn computer forensics and > incident retrieval. (hands on experience) > >2) create a curriculum (which includes slides, bringing guest speakers, etc) > >3) the lab will be used to conduct research projects > >4) the lab will be used by local county police for their investigations > >5) the lab will be used by school police for their investigations > >6) our goal is to have our proposed lab will focus on both active >and passive (proactive) forensics. In particular, we will establish >honey pot and intrusion prevention and detection mechanisms to >predict and detect attacker/hacker behavior. > >Thanks > >Charles |
