COURSE CONTENT

A typical Computer Forensics course should deal specifically with DOS, Windows, Windows 95, Windows 98, Window 2000, Windows XP and Windows ME. Concerning these operating systems, it should cover evidence preservation, evidence-processing methodologies, and computer security risk assessments in detail. It should touch briefly on issues dealing with Windows NT, Windows 2000, and Windows XP. However, you should have an advanced Windows NT training course that covers computer security and computer evidence issues associated with Windows NT, Windows 2000, and Windows XP in great detail.

Today, Windows 98 and Windows 2000 are the predominant operating systems used on notebook and desktop computers. Thus, they are the most likely operating systems to be encountered in computer investigations, internal audits, and computer security reviews. Most computer forensic courses do not cover the use of Black Box computer forensics software tools. Those tools are good for some basic investigation tasks, but they do not offer a complete and accurate computer forensics solution. Furthermore, such approaches are useless in computer security risk assessments. Computer security risk assessments usually require that searches and file listings be conducted overtly (or covertly) from a single floppy diskette.

Each participant in a computer forensics course who successfully completes the course, should receive some sort of a Certificate of Completion that is suitable fo framing. They should also leave the course with a good understanding of the following:

• Computer evidence processing

• Preservation of evidence

• Trojan horse programs

• Computer forensics documentation

• File slack

• Data-hiding techniques

• Internet-related investigations

• Dual-purpose programs

• Text search techniques

• Fuzzy logic tools used to identify previously unknown text

• Disk structure

• Data encryption

• Matching a floppy diskette to a computer

• Data compression

• Erased files

• Internet abuse identification and detection

• The boot process & memory resident programs

Computer-Evidence-Processing Procedures

The processing procedures and methodologies taught in a computer forensics course should conform to federal computer-evidence-processing standards. The tools that are used in the course, as well as the methods and procedures taught, should work with any computer forensics tools. The methods and many of the software tools should conform specifically to the computer-evidence-processing procedures followed by the FBI, U.S. Department of Defense and the U.S. Drug Enforcement Administration.

Preservation of Evidence

Computer evidence is very fragile and it is susceptible to alteration or erasure by any number of occurrences. The participant should be exposed to bit stream back-up procedures that ensure the preservation of all storage levels that may contain evidence.

Trojan Horse Programs

The need to preserve the computer evidence before processing a computer will be clearly demonstrated through the use of programs designed to destroy data and modify the operating systems. The participant should demonstrate his (or her) ability to avoid destructive programs and traps that can be planted by computer users bent on destroying data and evidence. Such programs can also be used to covertly capture sensitive information, passwords, and network log-ons. This should also be demonstrated during the course.

Computer Forensics Documentation

The documentation of forensic-processing methodologies and findings is important. This is even true concerning computer security risk assessments, computer incident responses, and internal audits, because without proper documentation it is difficult to present findings in court or to others. If the computer security or internal audit findings become the object of a lawsuit or a criminal investigation, then accurate documentation becomes even more important. The participant should be taught computer-evidence-processing methodology that facilitates good evidence-processing documentation and solid evidence chain of custody procedures. The benefits will be obvious to investigators, but they will also become clear to internal auditors and computer security specialists during the course.

File Slack

The occurrence of random memory dumps in hidden storage areas^[viii] should be discussed and covered in detail during workshops. Techniques and automated tools used to capture and evaluate file slack should be demonstrated in the course. Such data is the source of potential security leaks regarding passwords, network log-ons, e-mail, database entries, and word processing documents. These security and evidence issues should be discussed and demonstrated during the course. The participants should be able demonstrate their ability to deal with slack from both an investigations and security risk standpoint. They should also be able demonstrate their proficiency in searching file slack, documenting their findings, and eliminating security risks associated with file slack.

Data-Hiding Techniques

Trade secret information and other sensitive data can easily be secreted using any number of techniques. It is possible to hide diskettes within diskettes and to hide entire computer hard disk drive partitions. These issues should be discussed from a detection standpoint as well as from a security risk standpoint. Tools that help in the identification of such anomalies should demonstrated and discussed (AnaDisk). Participants should be required to demonstrate their understanding of such issues. This aspect of the training becomes especially important during the last day of the course when the participants are called on to identify and extract their Certificate of Completion from a special floppy diskette.

Internet-Related Investigations

Issues and techniques related to the investigation of Internet-related matters should be covered in the course. This should include a demonstration of how Internet-related evidence differs from more traditional computer evidence. Emphasis should be placed on the investigation of Internet-based terrorist leads.

Dual-Purpose Programs

Programs can be designed to perform multiple processes and tasks at the same time. They can also be designed for delayed tasks and processes. These concepts should be demonstrated to the participants during the course through the use of specialized software. The participant should also have hands-on experience with such programs.

Text Search Techniques

Specialized search techniques and tools should be developed that can be used to find targeted strings of text in files, file slack, unallocated file space, and Windows swap files. Each participant should leave the class with the necessary knowledge to conduct computer security reviews and computer-related investigations. Because of the need to search for non-Latin words and word patterns tied to foreign languages, the course should also cover the search of such data tied to foreign languages (Farsi, Chinese, Japanese, etc.).

Fuzzy Logic Tools Used to Identify Previously Unknown Text

A methodology and special computer forensics tools should be developed that aid in the identification of relevant evidence and unknown strings of text. Traditional computer evidence searches require that the computer specialist knows what is being searched for. However, many times not all is known in investigations. Thus, not all is known about what may be stored on a targeted computer system. In such cases, fuzzy logic tools can assist and can provide valuable leads as to how the subject computer was used. The participant should fully understand these methods and techniques. They should also be able to demonstrate their ability to use them to identify leads in file slack, unallocated file space, and Windows swap files.

Disk Structure

Participants should leave the course with a solid understanding of how computer hard disks and floppy diskettes are structured and how computer evidence can reside at various levels within the structure of the disk. They should also leave the class with a good understanding of how easy it is to modify the disk structure and to hide computer data in obscure places on floppy diskettes and hard disk drives.

Data Encryption

A computer forensics training course should also cover how data is encrypted and illustrate the differences between good encryption and bad encryption. The participants should become familiar with the use of software to crack security associated with these different encryption file structures.

Matching a Floppy Diskette to a Computer

Specialized computer forensics techniques and computer forensics tools should also be developed that make it possible to conclusively tie a floppy diskette to a computer hard disk drive. Each participant should also be taught how to use special software tools to complete a unique computer storage data-matching process. Some computer forensics experts indicate that floppy diskettes are no longer popular. They are wrong! Actually, floppy diskettes are found to be a valuable source of computer evidence in some civil litigation cases that involve the theft of trade secrets.

Data Compression

The participant should be shown how data compression programs can be used to hide and/or disguise critical computer data. Furthermore, the participant should learn how password-protected compressed files can be broken.

Erased Files

Participants should be shown how previously erased files can be recovered using computer forensics processes and methods. Documentation of the process should also be covered in detail.

Internet Abuse Identification and Detection

The participant should be shown how to use specialized software to identify how a targeted computer has been used on the Internet. This process should focus on computer forensics issues tied to data that the computer user probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files). Participants should gain hands-on experience in using this unique technology and they should be given the opportunity to purchase the software for a nominal charge. Nevertheless, it should be provided free of charge to law enforcement computer crime specialists who attend the course. Law enforcement agencies are typically underfunded.

The Boot Process and Memory Resident Programs

Participants should be able to see how easy it is to modify the operating system to capture data and/or to destroy computer evidence. Such techniques could be used to covertly capture keyboard activity from corporate executives, government computers, and the like. For this reason, it is important that the participants understand these potential risks and how to identify them.

Finally, let’s look at a couple of computer forensics case study scenarios. These scenarios will briefly cover planned forensics responses.

^[viii]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.