RE: [sleuthkit-users] Building a Computer Forensics Lab
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Building a Computer Forensics Lab
|
From: Surago J. <su...@sj...> - 2005-09-08 06:08:59
|
Hi Charles, =20 I too am a master's student focusing on Digital Forensics (Specifically the use of The SleuthKit, and Autopsy browser as an analysis tool), and hope to have thesis finished within the next month or so. =20 One area I can suggest you take into account is the processes, and procedures utilised by investigators. Often in a lab environment much of the background information in regards to the actual acquisition of compromised material (i.e. PCs, Servers, PDAs etc etc) is overlooked in favour of focusing on the actual analysis of the media retrieved. =20 During my studies I have come across various process models for both incident response, and forensic investigation. One of which (The Integrated Digital Investigation Process Model - IDIP) was proposed by Brian Carrier and Eugene Spafford, this model takes into account many of the phases of a full on investigation from preservation of the crime scene to the presentation of ones findings. The following reference should help to locate this paper. =20 Carrier, B. and E.H. Spafford, Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2003. Fall 2003. =20 Venansius Baryamureeba and Florence Tushabe offer some critisms to the IDIP model and in turn offer an Enhanced Digital Investigation Process Model. Their paper can be found with the following reference. =20 Baryamureeba, V. and F. Tushabe, The Enhanced Digital Investigation Process Model. Digital Forensics Research WorkShop, 2004. =20 In regards to incident response, the CERT Coordination Centre (CERT/CC) has a substantial amount of information available about processes and procedures that would be vital background information to many investigations. =20 For standard operating procedures (SOPs) the U.S. Department of Justice published (DOJ) "Electronic Crime Scene Investigation: A Guide for First Responders", and The Association of Chief Police Officers (ACPO) in the United Kingdom publishes a guide that builds on the principles that were developed in collaboration with the International Organisation on Computer Evidence. =20 References... =20 Justice, N.I.o., Electronic Crime Scene Investigation: A Guide for First Responders. 2001. p. 93, ACPO, Association of Chief Police Officers. 2005, (http://www.acpo.police.uk/) IOCE, International Organisation on Computer Evidence WebSite. 2003, (http://www.ioce.org/) ACPO, ACPO Good Practice Guide to Computer Based Evidence. 2003, (http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence _v3.pdf =20 I believe the information provided here would be valuable background information that should be passed on to all potential investigators in the field. If anyone has any further background information similar to this can they let me know, as technologies and techniques evolve these documents are continually updated. =20 Hope those references help. =20 Cheers =20 Surago. =20 ________________________________ From: sle...@li... [mailto:sle...@li...] On Behalf Of Charles Nwatu Sent: Thursday, 8 September 2005 11:44 To: sle...@li... Subject: [sleuthkit-users] Building a Computer Forensics Lab =20 Hello Computer Forensics Community, I am a first year Master's student at Penn State University and my area of focus is Computer Forensics and Incident Response, I am in the process of developing a computer forensics lab for the university and would appreciate any advice and assistance from the community in terms of recommending commercial software, open-source software, hardware and infrastructure. The curriculum is brand new and is in the process of being develop. Once again, any insight or advice would be helpful, ranging from links, to industry contacts, to slides, to whatever your imagination thinks is necessary. The purpose of the lab, as far as I know are the following:=20 1) create an environment in which students can learn computer forensics and incident retrieval. (hands on experience) 2) create a curriculum (which includes slides, bringing guest speakers, etc) 3) the lab will be used to conduct research projects 4) the lab will be used by local county police for their investigations 5) the lab will be used by school police for their investigations 6) our goal is to have our proposed lab will focus on both active and passive (proactive) forensics. In particular, we will establish honey pot and intrusion prevention and detection mechanisms to predict and detect attacker/hacker behavior. Thanks Charles |
