Hi Charles, First, let me just say I think you've hit the right field
of study. I just graduated from Georgia Tech with a masters in
infosec. I have been hired by a federal government agency in the
incident response/analysis field, and last summer my internship with
the U.S. Senate had an incident response component. I have also
gotten certified by the SANS Institute in both incident handling and
computer forensics, so my technical forensics knowledge largely comes
from those courses.
1. Its important to have a good technical infraustructure for
hands-on learning, but its also important to teach policies,
planning, and procedures, i.e. an incident handling plan and a
forensics methodology. Forensics findings may potentially be used in
the legal or a human resources setting and must stand up to scrutiny.
2. I would suggest starting with open source tools such as TSK. They
are relatively cheap to set up, and open source so students can
review source code. Don't close the door to proprietary products,
such as Guidance Software's Encase suite (very expensive but has a
large professional user base.)
3. On the forensics workstations, they should be dual-bootable and
have large hard drives. Dual-bootable as many forensics tools are
Linux-only or Windows-only. Large hard drives to store the large disk
images your students and analysts will be working on.
4. Consider Vmware or another virtualization tool. It lets you run
"guest" operating systems from within another operating system. For
example, I may install Vmware on Windows and make a virtual computer
with Linux on it. That way I can analyze live forensics images and do
passive analysis simultaneously. For example, I can run a suspected
piece of malware on a guest operating system to sandbox it, and then
use the same computer (host operating system) to sniff its network
traffic. A virtual heterogeneous network, all simulated on one computer
Alan
At 18:44 9/7/2005, Charles Nwatu wrote:
>Hello Computer Forensics Community,
>
>I am a first year Master's student at Penn State University and my
>area of focus is Computer Forensics and Incident Response, I am in
>the process of developing a computer forensics lab for the
>university and would appreciate any advice and assistance from the
>community in terms of recommending commercial software, open-source
>software, hardware and infrastructure. The curriculum is brand new
>and is in the process of being develop. Once again, any insight or
>advice would be helpful, ranging from links, to industry contacts,
>to slides, to whatever your imagination thinks is necessary.
>
>The purpose of the lab, as far as I know are the following:
>
>1) create an environment in which students can learn computer forensics and
> incident retrieval. (hands on experience)
>
>2) create a curriculum (which includes slides, bringing guest speakers, etc)
>
>3) the lab will be used to conduct research projects
>
>4) the lab will be used by local county police for their investigations
>
>5) the lab will be used by school police for their investigations
>
>6) our goal is to have our proposed lab will focus on both active
>and passive (proactive) forensics. In particular, we will establish
>honey pot and intrusion prevention and detection mechanisms to
>predict and detect attacker/hacker behavior.
>
>Thanks
>
>Charles
|
