Framework for the Design of Web- based Learning for Digital Forensics

shopfitterpsithurismSoftware and s/w Development

Nov 10, 2012 (4 years and 5 months ago)

185 views

Kevin R. Lawrence

Computer Information Systems, Senior

Department of Computer and Information Sciences,

309 Technical Building A,

Tallahassee, FL 32307
-
5100

Dr. Hongmei Chi

Framework for the Design of Web
-
based
Learning
for Digital Forensics


Contents


Introduction


Investigating Tools


Investigating Labs


Lab Overview


Designing Labs


Web
-
based Learning


Advantages of Web
-
based Learning


The Educational Web
-
based System


Abstract Model


The Semantic Web

Contents


Education and The Semantic Web


“Intelligent” Web
-
learning


How does it Work?


The Setting


Conclusion


Discussion/Future Research


References

Introduction


Digital Forensics, like many other computer technical fields,
requires both theory and hands
-
on practice to be proficient.
Hands
-
on labs expose students to real
-
time exercises and present
them with a better understanding of theoretical content
.



With the advancements in
technology labs
can be available via the
internet utilizing Web
-
based educational systems.



Unlike other courses like programming, where a student may only
need one piece of software, such as an editor like TextPad or
Integrated Development Environments like Eclipse or NetBeans,
digital forensics utilizes many tools
.
There exist a vast number of
tools for use including those on the market and free open
-
source
software.

Introduction cont.


The internet can be used for more than just a medium to deliver labs. It
can also be used for teaching by taking advantage of the Semantic Web
technology and applying it towards education. The system is intended to
need no input from the user but reacts accordingly to the user. It is
intended to act as a personal tutor.

Investigating Tools


Teaching a student how to use every tool can easily be determined as
impractical. However, the student must be equipped with enough
knowledge and understanding that creates a strong foundation to build
on in the future. A student must be familiar with certain tools of the
trade, such as an imager. Table 1 gives an overview of some of the tools
investigated and be used to develop a lab.

Investigating Tools cont

Table 1. List of Forensic Tools for Hands
-
on Laboratory Assignments

Title

Description

Features

Advantages

Access

Data

Forensic

Toolkit

(FTK)

FTK

contains

a

full

suite

of

password

recovery

tools,

drive

and

media

wipers,

a

registry

viewer

and

other

useful

products

[
1
]
.

It

is

strong

in

Windows

files

systems

and

does

handle

Linux

file

systems
.

It

is

advertised

to

be

a

single

integrated

solution
.


Imager


Registry

Viewer


Pa獳w潲o

Recovery


兵Qry

卥arc桩hg



Da瑡

Car癩湧


䥮瑥gra瑥t

v楥wers

a湤



楮瑥gra瑥t

浥摩a

灬ayer



view

any

given

set

of

data
.


䕆E

䑥cr祰瑩潮

[
2
]


Password

Dictionary

Creation

[
2
]


Fa獴

卥arc桩hg


Ha湤les

over

㈷2

歩k摳



晩汥s


䉯B歭ar歩kg

[
2
]


Reporting

[
2
]


Case

Management


卵灰潲瑳

浡ny

e
-
浡楬

a灰汩la瑩潮s

Helix

Helix

is

a

forensically

sound

bootable

live

CD

[
5
]
.

Helix

is

used

for

live

analysis,

which

involves

analysis

of

a

running

system

in

real

time
.

Helix

is

not

just

for

Linux

as

it

comes

equipped

with

a

special

Windows

auto
-
run

side

for

Incident

Response

and

Forensics

[
5
]
.


Imager


Pa獳w潲o

Recovery


C潯歩k

V楥wer


䥮瑥r湥t

H楳i潲y

V楥wer


Registry

Viewer


File

recovery


偲潴oc瑥t

却潲S来

V楥wer


卣慮

景f

灩捴畲es


Many

applications

in

one




楮獴慬污i楯i

re煵楲ed


Per景f浳

䱩Le

a湡l祳楳


䕡獹



畳u

a湤

na癩条ge

through

the

available

applications

Table
1 continued.
List of Forensic Tools for Hands
-
on Laboratory Assignments

Sleuth

Kit

Sleuth

Kit

is

freeware

open
-
source

computer

forensic

tools

built

on

the

Coroner’s

Toolkit
.

The

Sleuth

Kit

(TSK)

is

a

collection

of

UNIX
-
based

command

line

tools

that

allow

you

to

investigate

a

computer

[
13
]
.



Create

timeline

of

file

activity


卯r瑳

晩汥s

扡獥s



瑨t楲

晩fe

瑹灥

and

灥r景fms

e硴湳楯n

c桥c歩kg

and

桡sh

摡瑡ta獥

汯l歵灳


A湡l祺y

業ige

灡r瑩t楯i

獴r畣u畲es


process

data

units

at

content

location


Efficient

in

UNIX

environment


C潭oa瑩tle

w楴i

A畴潰sy

F潲e湳楣

䉲ow獥s



pro癩摥

a

Gra灨楣al

U獥r

䥮瑥r晡ce[

]


Ca獥

䵡湡来浥湴n

]


Ke祷潲o

卥arc桩h杛

]

WinHex

WinHex

is

a

universal

hexadecimal

editor

capable

of

inspecting

and

editing

all

kinds

of

files,

recovering

deleted

files

or

lost

data

from

hard

drives

with

corrupt

file

systems

[
14
]
.



Disk

editor


Data

Recovery


A湡l祺e

a湤

C潭oare

䙩汥s


D楳i

c汯l楮i


Dr楶e

a湤

䙩汥

w楰ir


䕮捲祰瑩潮


Captures

free

space

and

slack

space


䙩汥

偲e癩ew


卩m畬瑡ne潵s

Search

晵fc瑩潮獛

]


A畴潭a瑥t

䙩Fe

Recover祛

]


ProDiscover

ProDiscover

have

several

tools

aimed

at

solutions

for

incident

response,

e
-
discovery,

and

computer

forensics

[
11
]
.

Each

tool

have

several

core

features

in

common

but

distinct

in

other

features
.

ProDiscover

Incident

Response

is

full

featured
.


Preview

and

Image

Local

Disk


䥮瑥gra瑥t

Gra灨楣s

T桵浢ma楬

癩ewer


Integrated

Registry

Viewer


Information


D楳i

W楰ir


Incident

Response

Capability


Ne瑷潲o

晵fc瑩潮s


䥮ve獴楧ate

a湤

m潮楴ir

internal

computer

systems


Automatically

generate

quality

reports

Investigating Labs


Certain techniques and procedures have to be established in the quest of
evidence identification, preservation, extraction, documentation, and
interpretation. Individual lab work is designed to help students
understand these procedures, learn some fundamental techniques and
practice them first hand.

Knowing and understanding the tasks a
computer forensic professional may be called to do, provide a sufficient
guide as to how to design a lab.

Investigating Labs cont.


Some lab assignments may include:




Acquiring an image for analysis


Recovering deleted data


Dead and Volatile Analysis


Removable media analysis


Utilizing operating system’s preinstalled tools e.g., event log and
event viewer


Password and encryption methods


Decrypting files


Identifying images and steganography


Finding hidden data


Lab Overview


Case Description:


What crimes have been committed? Give a scenario leading up to the
investigation and stating why the computer may be a rich source of
evidence
.




Lab goal:


What’s the purpose of this lab? What new techniques in digital
forensics will the student take away
?



Some guidance as to how to go about the investigation:


Small hints to guide the student in the right direction. Hints will be
minimized as lab difficulty increases
.


Lab Overview cont.


What did you find?


What kind of evidence did the student recover during the investigation?



What procedures were taken?


What did you do and why? Did you searched e
-
mail files, looked at internet
activity, etc?



What can be inferred by uncovered evidence?


Is the evidence really evidence? Is it relevant? What does the evidence tells us.



Conclusion:


A small report summarizing findings and their relevance along with the report
generated by the software if it has that function. What does the evidence
conclude?


Designing Labs


Several different labs will be designed to accommodate
various difficulty levels and students’ majors

computer
majors versus criminal justice majors or any other majors.
The labs will express, the different scenarios that a forensic
examiner may experience in the field

law enforcement
cases versus cooperate type cases

and encompass samples
of real cases.

Web
-
based Learning


The World Wide Web enables the development of powerful
information sources to support learning and facilitates
student
-
centered instruction [9]. Delivering lab work via the
internet have its advantages but also complications in
developing such a system.

Advantages of Web
-
based Learning


One advantage of e
-
learning is many students are able to
access the same material from any location at any given time
provided they are somehow equipped with the necessary
tools to complete the lab. Other advantages includes:



interactive course material,


distance learning with automatic assessment,


timely feedback, and


self
-
discovery.

The Educational Web
-
based System


Figure 1

provides a conceptual view of the system where the user
information is stored in a database. This information is gathered at
initial sign up for system.



These labs will be stored with various attributes such as difficulty
level, skills required, skill gained after completion and other
valuable information that will be used by the system to get a good
understanding of what the student have completed.



The interaction between student and lab is “analyzed” by the
system using complex algorithms for reasoning. These algorithms
will determine which lab the student has completed, and what lab
to be given next.

Abstract Model

Figure

1
:

An

abstract

model

representation

of

the

educational

web
-
based

digital

forensic

lab

system
.

The Semantic Web


The Semantic Web is a mesh of information linked up in such
a way as to be easily process
-
able by machines, on a global
scale [10]. The
Semantic Web

is an evolving extension of
the World Wide Web in which data on the Web contains
specific metadata and uses a uniform resource identifier as a
markup language, RDF, to represent such data.



RDF is a framework to represent data about data (metadata),
and a model for representing data about data about resources
on the Web. This makes it possible for information to be
machine readable and understandable.

Education and The Semantic Web


With the advantages the Semantic Web provide, it would be
efficient to develop Web
-
based educational systems under its
rules. It should provide an efficient infrastructure for storing,
retrieving and manipulating data on the web [4]. In addition,
it can improve communication between the user and the
Web.

“Intelligent” Web
-
learning


The interaction between student and web
-
based lab is
“analyzed” by the system using complex algorithms for
reasoning.



These algorithms will determine which lab the student has
completed, and what lab to be given next. The lab that is
given next shall depend upon the student’s success and
failures on the previous lab taken.


“Intelligent” Web
-
learning cont.


Some characteristics like the time taken or number of steps
taken to complete a lab in relation to its difficulty level, and
the mistakes made versus correct steps taken is some
information that will be used by the system to teach through
elaborate student
-
assignment evaluation.



Applying “intelligence” to web
-
learning will help improve
students’ skills by using feedback from each student's
background and results of previous labs.


How does it Work?


The Semantic is expected to provide a number of intelligent,
high
-
level
services

[4] including search agents, information
filters, intelligent information integration and knowledge
management [4].




These services require specific
ontologies
[4] that include
unambiguous machine
-
readable description of services and
other properties [4].

How does it work? Cont.


Pedagogical agents
[4] does the “labor” work, such as fetching
educational content from educational servers, while
interacting with other agents to accomplish a task.



The educational server does the “intelligent” work, that is, it
sorts and arranges content based on the student and
essentially acts as the personal tutor for the student.



Web
-
learning will be rendered “intelligent”, therefore better
understanding the student and provide timely effective
responses and feedbacks.

The Setting

V. Devedzic/Education and the Semantic Web

Figure 2: The Semantic Web Setting for E
-
Learning

Conclusion


By exploiting the advantages of e
-
learning/web
-
based
learning, we hope to supply students with a more interactive,
convenient, efficient way of learning via the internet through
the powers of the Semantic Web.



Hands
-
on labs are very important to a student, especially one
that is taking a digital forensics course. Investigatory methods
and techniques are learned more efficiently through hands
-
on
work and although we have developed a series of labs we
wish to expand that collection and make it accessible from
anywhere a computer and internet connection is available.

Discussion/Future Research


In the future we hope to familiarize ourselves with more
tools and create more labs that exploit the features of many
different tools and concur with the design variations we
want. In addition, we will improve on existing labs and
continuously retrieve student feedback to make labs better
learning tools and student friendly. Future research will be
conducted to formalize the abstract design discussed in this
paper that will eventually lead to implementation and testing.


References


[1]AccessData
-

Forensic Toolkit® 2.0,
http://www.accessdata.com/Products/ftk2test.aspx



[2]Clark, T. AccessData


Forensic Toolkit Sales and Promotional Summary,
http://www.accessdata.com/media/en_us/print/techdocs/Forensic%20Toolkit.pdf
, 2007



[3]Corter, J. E., Nickerson, J. V., Esche, S. K. & Chassapis, C.

Remote Versus Hands
-
On Labs: A Comparative
Study. 34th ASEE/IEEE Frontiers in Education Conference, October 20


23, 2004, Savannah, GA.



[4]Devedzic, V. Education and the Semantic Web. International Journal of Artificial Intelligence in Education 14
39
-
65, 2004, Department of Information Systems and Technologies, FON


School of Business Administration,
University of Belgrade, Belgrade.



[5]Helix
-

Incident Response & Computer Forensics Live CD by e
-
fense&trade, Inc.
http://www.e
-
fense.com/helix/index.php



[6]Kuznetsov, H. Technology
-
based Innovative Teaching Methods, Proceedings of the 2002 American Society for
Engineering Education Annual Conference & Exposition, University of Illinois at Urbana
-
Champaign, IL.



[7]LogParser 2.2 Documentation,
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1287


References cont.


[8]McKimm, J., Jollie, C. & Cantillon, P. ABC of learning and teaching Web based learning, BMJ Volume 326, 19
April 2003.




[9]Oliver, R., Omari, A. & Herrington, J. Exploring Student Interactions in Collaborative World Wide Web
Learning Environments. Edith Cowan University, Western Australia.



[10]Palmer, S. B. The Semantic Web: An Introduction.
http://infomesh.net/2001/swintro/

2001
-
09.



[11]ProDiscover

Computer Forensics Family,
http://www.techpathways.com/DesktopDefault.aspx

and
http://www.techpathways.com/ProDiscoverFamilyGuide.htm
.



[12]Santally, M. I. & Senteni, A. Adaptation Models for Personalisation in Web
-
based Learning Environments.
Malaysian Online Journal of Instructional Technology, ISSN: 1823
-
1144, Vol. 2, No. 1, April 2005, Virtual Centre
for Innovative Learning Technologies University of Mauritius, Mauritius.



[13]The Sleuth Kit & Autopsy: Digital Investigation Tools for Linux and other Unixes,
http://www.sleuthkit.org/sleuthkit/desc.php
.



[14]X
-
Ways Software Technology AG,
http://www.x
-
ways.net/winhex/

and
http://www.x
-
ways.net/winhex/forensics.html