2015 Digital Forensics Curriculum Standards Workshop

The 3rd International Workshop on Digital Forensics Curriculum Standards (DFCS) will be held in Philadelphia, Pennsylvania on Thursday, August 13, 2015, in conjunction with the DFRWS USA 2015 conference. Visit the DFRWS USA 2015 website to register or to obtain information on hotel accommodations. The 3rd International Workshop on Digital Forensics Curriculum Standards (DFCS) was supported by funding provided by the National Science Foundation. For program details on our Digital Forensics Education Initiative, please see our website at: http://publish.illinois.edu/digital-forensics/

Organizing Committee: Roy Campbell, Eoghan Casey, and Masooda Bashir

There is a marked shortage of qualified digital forensics practitioners in the U.S., so the demand for education in this area is high. At the same time, the field of digital forensics also requires more research efforts in a range of areas that have not been adequately explored, such as reasoning about digital evidence, tool validation, data storage, and scalability. How do we fill this void in digital forensics research and adapt educational programs to do so as well?

The goal of this workshop is to serve as a forum for discussion of needs in digital forensics research and the possible methods to fill this void. We will bring together representatives from digital forensics organizations, practicing digital forensics professionals, and educators from universities and colleges. We will leverage our own experiences in developing an advanced course in an all-new multidisciplinary undergraduate digital forensics program at the University of Illinois, as well as the diverse perspectives and experiences of the participants. We hope to discover a common ground of how to fill the digital forensics research void.

The University of Illinois is organizing this workshop as a key step in the creation of its all-new digital forensics curriculum, which is being developed at Illinois but that we intend to disseminate broadly as a standardized approach. Our curriculum will include an introductory course with labs; an advanced course with labs; and a third course addressing special topics, which will be an advanced hands-on laboratory class. We have already developed the introductory lecture class, an advanced lecture class, and accompanying labs, and offered them to students at Illinois. We will present our findings on that process and discuss the challenges we experienced in presenting advanced digital forensics course topics and an implementation of a semester-long research project. We will also describe the curriculum content that we’re making available to other institutions, and our preliminary plans for our third course.

The workshop will consist of two keynote speeches and two panel discussions.

Keynotes:

Golden Richard – “Digital Investigation and the Trojan Defense, Revisited”

Over the past 15 years, digital forensics has been radically transformed by the introduction of new tools and techniques that support very detailed investigations of a wide variety of digital crime scenes, spanning unauthorized data exfiltration, fraud, employee misconduct, kidnapping, child pornography, and murder. Modern digital forensics tools can be used to deeply examine not only computer systems, but smartphones, voice recorders, printers, cars, and much more. A common defense used by those accused of wrongdoing in crimes involving digital evidence is the so-called Trojan defense, which essentially means “I didn’t do that–a computer virus did it.” This defense has traditionally been quickly dismissed by investigators after a cursory examination of digital devices for the presence of malware. Often, this sweep for malware consists of simply running an antivirus program, noting a negative result, and using this as a basis for proceeding with the charge of wrongdoing. In all likelihood, this process was historically fairly accurate, because it was pretty unlikely that a virus did “do it.” Now, in the face of increasingly sophisticated cyber attacks and malware infections, it’s frequently very possible that someone or something (e.g., malware) other than the “obvious” party may be guilty. The solution to unraveling the accuracy of Trojan defenses and pointing the finger of blame in the right direction is increased technical sophistication for investigators and a more developed sense of empathy for non-technical users, which has a direct impact on digital forensics education.

Raymond Manna – “Answering the Call: An Academic Approach for Preparing Tomorrow’s Digital Forensic Examiners, Today.”

The discipline of digital forensics is a very complex and evolving field of study. Academia’s approach of preparing future examiners for this field has to be equally evolving by predicting and understanding future trends in technology usage. Developing and nurturing specific personal and intellectual attributes within the future “front-line” examiners will play a pivotal role in meeting the demands of the public and private sectors. This presentation will help establish several desirable qualities that would greatly enhance ones ability to secure a career, and become a leader within the digital forensic community.

Panels:

In the Datasets panel, we will address the challenges of having datasets that are not comparable to real world data, looking into the creation of datasets that we can build and share for teaching and lab purposes. We will also look into the challenges presented with tool validation. How can we tell if the tool is working properly? Is the tool gathering everything it is supposed to? Are the tools secure enough? Can you accurately determine interference with obtaining a dataset? Has the dataset been tampered with since it was taken as evidence?

In the Advanced Topics panel, we will discuss the challenges of doing digital forensics on encrypted devices. What can you determine from an encrypted disk? What can you extract? We will also look into the evaluation of tools for building timelines. How do you certify them? What are good techniques for validating and certifying tools? How do you show the reliability of the evidence?

Agenda:

8:00 AM: Breakfast
8:30 AM: Welcome Address – Masooda Bashir, University of Illinois at Urbana-Champaign
9:00 AM: Keynote Address – Golden Richard, University of New Orleans
10:00 AM: Datasets Panel: Bill Crane (Chair) – Associate Professor, Champlain College; Ryan Cunningham – Lecturer, University of Illinois; Vassil Roussev – Associate Professor, University of New Orleans, Simson Garfinkel – NIST
10:40 AM: Datasets Discussion
11:00 AM: Advanced Topics Panel: Simson Garfinkel (Chair) – NIST; Ibrahim Baggili – Research Scholar, University of New Haven; Golden Richard – Professor, University of New Orleans; Nasir Memon – Department Head, NYU
11:40 PM: Advanced Topics Discussion
12:00 PM: Lunch Keynote – Raymond Manna, FBI
1:00 – 2:00PM: Wrap-Up