Teaching Computer Forensics

The Development of Challenging Assessments for Computer

Forensics Students 

Diane Gan, David Chadwick, Dimitris Frangiskatos

D.Gan@gre.ac.uk, D.R.Chadwick@gre.ac.uk, D.Frangiskatos@gre.ac.uk

School of Computing & Mathematical Sciences

University of Greenwich

2

Contents

Introduction– Programmes, modules, students– Problems and solutions

Course and Assessment– The scenario

Teaching Computer Forensics– Educational paradigm: PBL

Did it work?– Results– Expert testimony– Student experience

Conclusions

Why?

When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is a meagre and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the state of science.—William Thomson, Lord Kelvin, 1883

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 3

Introduction

Programmes and modules– UG Programmes with Computer Forensics (as an option in

years II and III):

BSc Computer ScienceBSc Software Engineering

– PG Programmes in Computer Forensics : MSc Computer Forensics and Systems Security MSc Computer Forensics and Security Management

– PG Programmes with Computer Forensics (as an option):

MSc Network & Computer Systems SecurityMSc Information Security & Audit

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 4

Students

PG: programmes mostly overseasUG: home students with some overseasFor both the of the above the following apply:– They think its like CSI– They will find most of the evidence but will struggle

with the analysis of the evidence (critical evaluation)– Report writing is the main issue

And when the report is good is too techie!!!

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 5

Problems and solutions

Lab machines: dedicated VS accessible to all Lab setup: forensic lab with state of the art machinesVMware and Windows 7Access to hardware – write-blockers, mobile phone forensic kits, EnCase Support for labs – dedicatedLectures - sharing a module between three lecturers

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 6

Course and Assessment

A forensic scientist can easily become a forensic investigator but its not so easy for the oppositeMultidiscipline approach for the programmes that have forensics as an optionExam 50% , Coursework 50% Coursework– To catch a thief one must think like one– Profile of the suspect

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 7

Course and Assessment (contd.)

Industrial espionage caseA USB stick that has been imaged without the suspect’s knowledgeAnalysis of the evidence:– Lots of files - lots evidence

e.g. A BMP file with an email steganographically embedded into it – steg tools must be usedevidence everywhere – some red herrings

– Lots of circumstantial evidence: tools for hacking, stego, network sniffing, Illegal software, copyrighted music, pictures of sexual nature - secondary evidence which constitute a breach of contract.

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 8

Educational Paradigm: PBL

In PBL (Problem Based Learning) the focus is on :

1. organising the curricular content around problem scenarios rather than subjects/disciplines

2. having problem scenarios that reflect real world situations

3. encouraging students to learn by themselves as they seek further knowledge

4. having staff engaged as ‘learning facilitators’ rather than ‘front of the class’ pedagogists

5. encouraging students to learn together and share the further knowledge research process

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 9

Why Problem Based Learning?

Contextually valid :-– Problems taken from professional or academic practice,– students acquire knowledge around these problems.

Indications that it has a strong motivating effect as:-– little emphasis on perceived ‘dry’ theory, – more emphasis on exciting practitioner elements.

Designed to emulate professional practice in a way that assessment is :– performance-based, – holistic, – permits students to input own thoughts and decisions.

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 10

PBL – any problems?

Research literature suggests that students take easily to the PBL approach as they find it a more natural way of learningIt is the staff who have the greater problem in accepting it, often being unable to ‘let go’ of the customary question and answer pedagogic role LTSN Assessment Series 13, 2010; A briefing On Assessment in Problem-Based Learning; MacDonald R, Savin-Baden M; http://www.bioscience.heacademy.ac.uk/; 9th Nov 2010[LTSN Assessment series 13, 2010; p6].

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 11

Roles of The Tutors as Facilitators

Tutor 1 (Tools): Students unsure where to start.

Concept of a ‘tool-set’ from which tools were to be selected and decisions made as to which to try first and how.

Tutor 2: (Report) Students unsure how to report findings

Various directions on need for structuring thoughts and findings and following a standard report format.

Tutor 3: (Court) Students unsure re: appearance and cross-examination.

Topics broached such as court room procedure, where an expert witness might physically stand, dress and speak.

Approach well-accepted; – the different tutor personalities strengthened the process– Students praised a ‘bank of specialist knowledge’ to call on.

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 12

Results

Report• students submitted a written report • found the template challenging• students chose to use FTK• why - easier to use than EnCase - download a free

version • all the students found the “easy” evidence• best students found nearly all the evidence• even the encrypted and password protected files

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 13

Expert Witness testimony

Law students - gave the exercise an extra dimensionwhen forensics students began to use “techie” language they were stopped immediatelythey had to explain any term or a phrase that they had usedused terms that they could not adequately explain, in an attempt to impress the “jury”

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 14

Expert Witness testimony (contd.)

Assessed on:-• appearance • professional demeanour• ability to answer questions confidently and competently• content of their evidence• or not explaining anything they were discussing at the right

• Marks given for each presentation were a combination of the lecturer’s mark and the “jury’s” marks

• Law students were asked if they thought that this “expert witness” had convinced them that the defendant was guilty

• average coursework mark for the class was 55.133%• top student got 97%10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 15

The student experience

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 16

QUESTIONS REPLIES

1. Did you enjoy the experience – Yes/No?

67% (24 of the 36) said Yes

1. Did you learn from the experience – Yes/No?

100% (36 of the 36) said Yes

1. Do you have any suggestions on how it might be improved?

Several suggestions were made including:More preparation time to be given

• Assignment was worth 50% of the course grade

•CMS Students (the Expert Witnesses) were formally questioned on their experience.

• 36 students took part in this survey out of a cohort of 50

Student experience (contd.)

• Law students voluntarily offered feedback• all of them reported that they had enjoyed the

experience and had learned something

Main learning outcomes were:-• they had found it a useful experience to actively

cross-examine an expert witness• they had learned some useful computer jargon

hitherto not part of their Law studies • they had learned that computer based crimes

could be difficult and complex to understand 10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 17

Conclusions

We have discussed the development of the course work for the core course Computer Crime and Forensics and the innovative way that we assessed that coursework. The three parts of the coursework, which were the analysis of the evidence, the report writing and the presentation as an expert witness have been discussed. The student experience has been reported, which was very positive. In the Annual Student Survey, 86% of the students said that they would recommend this course to a friend.

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 18

Conclusions (contd.)

Our PBL approach has proved to be a success in the teaching of computer forensics.Our three tutor approach to the teaching has also contributed to making this new discipline a success. We intend to continue with this paradigm and, build upon it with more ‘facilitation’ sessions and more in depth follow up questions. We also intend to strengthen our links with the Law Department in order to enhance the contribution of the Law students.

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 19

The end

Any Questions?Opinions?

Suggestions?

All welcome!

10/04/23 By Dimitrios Frangiskatos, fd26@gre.ac.uk 20