Educating the effective digital forensics practitioner: academic, professional, graduate and student perspectives

Over the years, digital forensics has become an important and sought-after profession where the gateway of training and education has developed vastly over the past decade. Many UK higher education (HE) institutions now deliver courses that prepare students for careers in digital forensics and, in most recent advances, cyber security. Skills shortages and external influences attributed within the field of cyber security, and its relationship as a discipline with digital forensics, has shifted the dynamic of UK higher education provisions. The implications of this now sees the route to becoming a digital forensic practitioner, be it in law enforcement or business, transform from on-the-job training to university educated, trained analysts. This thesis examined courses within HE and discovered that the delivery of these courses often overlooked areas such as mobile forensics, live data forensics, Linux and Mac knowledge. This research also considered current standards available across HE to understand whether educational programmes are delivering what is documented as relevant curriculum. Cyber security was found to be the central focus of these standards within inclusion of digital forensics, adding further to the debate and lack of distinctive nature of digital forensics as its own discipline. Few standards demonstrated how the topics, knowledge, skills and competences drawn were identified as relevant and effective for producing digital forensic practitioners. Additionally, this thesis analyses and discusses results from 201 participants across five stakeholder groups: graduates, professionals, academics, students and the public. These areas were selected due to being underdeveloped in existing literature and the crucial role they play in the cycle of producing effective practitioners. Analysis on stakeholder views, experiences and thoughts surrounding education and training offer unique insight, theoretical underpinnings and original contributions not seen in existing literature. For example, challenges, costs and initial issues with introducing graduates to employment for the employers and/or supervising practitioners, the lack of awareness and contextualisation on behalf of students and graduates towards what knowledge and skills they have learned and acquired on a course and its practical application on-the-job which often lead to suggestions of a lack of fundamental knowledge and skills. This is evidenced throughout the thesis, but examples include graduates: for their reflections on education based on their new on-the-job experiences and practices; professionals: for their job experiences and requirements, academics: for their educational practices and challenges; students: their initial expectations and views; and, the public: for their general understanding. This research uniquely captures these perspectives, bolstering the development of digital forensics as an academic discipline, along with the importance these diverse views play in the overall approach to delivering skilled practitioners. While the main contribution to knowledge within this thesis is its narrative focusing on the education of effective digital forensic practitioners and its major stakeholders, this thesis also makes additional contributions both academically and professionally; including the discussion, analysis and reflection of: - improvements for education and digital forensics topics for research and curriculum development; - where course offerings can be improved for institutions offering digital forensic degree programmes; - the need for further collaboration between industry and academia to provide students and graduates with greater understanding of the real-life role of a digital forensic practitioner and the expectations in employment; - continuous and unique challenges within both academia and the industry which digital forensics possess and the need for improved facilities and tool development to curate and share problem and scenario-based learning studies

K-12 Cybersecurity Program Evaluation and Its Application

As the use of the Internet and computers continues to increase, so does the prevalence of cybercrime. However, there is currently no global standard education curriculum guideline in place to prevent cybercrime or cybercrime victimization. The purpose of this study is to examine programs designed for students in grades K-12 that have already been implemented in communities across the country in order to determine the amount of information taught and to identify a global standard preventative program for all educational institutions. This project will be an exploratory study in which existing K-12 curriculum programs are reviewed qualitatively using a content analysis method based upon the theoretical framework of Choi’s Cyber-Routine Activities Theory (Cyber RAT) (Choi, 2008). The expected outcome of this research is to identify and create standards for an ideal cybersecurity educational program for students in grades K-12. This research is timely and imperative in the field of criminal justice because crimes are becoming increasingly prevalent in the cyber-world with very limited means available to control or prevent them. Findings in this study suggest that most programs teach students a sufficient amount of topics relating to computer hygiene, computer ethics, and technological skills. However, further research must be conducted to determine the quality of these programs in adequately informing students about topics involving cybersecurity and cybercrime

Analysis of a training package for law enforcement to conduct open source research

Law enforcement officials (LEOs) in the UK conduct open source research (OSR) as part of their routine online investigations. OSR, in this instance, refers to publicly available information that is accessed via the Internet. As part of the Research, Identifying and Tracing the Electronic Suspect (RITES) course provided by the UK’s College of Policing, LEOs are introduced to the Open Source Internet Research Tool (OSIRT); a free software tool designed to assist LEOs with OSR investigations. This paper draws on analysis from questionnaires and observations from a RITES course; mapping them to Kirkpatrick’s evaluation model. Results showed the positive impact the RITES course had in transferring knowledge back on-the-job, with LEOs applying knowledge learned to real-life investigative scenarios. Additionally, results showed OSIRT integrated both in the RITES course and into the LEOs investigative routine

Cybercrime: An Investigation of the Attitudes and Environmental Factors that Make People more Willing to Participate in Online Crime

Cybercrime incidence rates are increasing. In order to identify solutions to this problem, the sources of cybercrime need to be identified. This research attempted to identify a potential set of circumstances that create an environment in which people are more likely to engage in cybercrime. There are three aspects to this; (1) Behaviour on the internet – Are people more likely to engage in illicit activities online than in the physical world? (2) Crime Perceptions – Do people perceive cybercrime as being less serious than non-cybercrime? (3) Resources on the Internet – Are people aware of the types of free hacking resources that are available online? In order to address the first question, a review of the existing literature on the matter was carried out and conclusions drawn from it. The Online Disinhibition Effect is a key theory in this matter. Results from this review suggest that people are more likely to engage in illicit activities online than they are in the physical world. Addressing the second question was carried out in two stages. The first was an assessment of some of the free hacking resources that are available online such as tools and educational courses, based on predefined selection criteria. The content or function of these were established and they were rated across a number of factors. This information was fed into a survey to establish awareness of the existence of some of the tool functions, and opinions on course availability. The results from this research indicate that people are aware of the kind of functionality that is available from hacking tools online. The third question was addressed through another section of the survey in which participants were asked to rate the seriousness of 6 crime scenarios, three of which were cybercrimes, and three of which were non-cybercrimes. The same scenarios were used throughout the survey as participants were asked to determine appropriate sentences for each crime, and then judge the actual sentence that the crime was given. Results from this investigation indicate that people do view cybercrime as less serious than noncybercrimes. The results from these three streams of research indicate that they are combining to create an environment in which people more readily engage in cybercrime

A semantic methodology for (un)structured digital evidences analysis

Nowadays, more than ever, digital forensics activities are involved in any criminal, civil or military investigation and represent a fundamental tool to support cyber-security. Investigators use a variety of techniques and proprietary software forensic applications to examine the copy of digital devices, searching hidden, deleted, encrypted, or damaged files or folders. Any evidence found is carefully analysed and documented in a "finding report" in preparation for legal proceedings that involve discovery, depositions, or actual litigation. The aim is to discover and analyse patterns of fraudulent activities. In this work, a new methodology is proposed to support investigators during the analysis process, correlating evidences found through different forensic tools. The methodology was implemented through a system able to add semantic assertion to data generated by forensics tools during extraction processes. These assertions enable more effective access to relevant information and enhanced retrieval and reasoning capabilities

Digital Forensic Readiness: An Examination of Law Enforcement Agencies in the State of Maryland

Digital forensic readiness within the law enforcement community, especially at the local level, has gone mostly unexplored. As a result, a current lack of data exists that examines the digital forensic readiness of individual agencies, the possibility of proximity relationships, and correlations between readiness and backlogs. This quantitative, crosssectional research study sought to explore these issues by focusing on the state of Maryland. The study resulted in the creation of a digital forensic readiness scoring model that was then used to assign digital forensic readiness scores to thirty (30) of the one-hundred-forty-one (141) law enforcement agencies throughout Maryland. It was found that an agency’s proximity to a major resource center (hub) did not positively or negatively influence readiness. It was also found that agencies with higher digital forensic readiness scores may be more likely to exhibit backlogs as a result of external agency dependencies. It should be noted, however, that digital forensic readiness scores should not be viewed as a reliable predictive indicator for the existence of backlogs. These findings establish a baseline for the state of Maryland that can be used to monitor, sustain, or improve levels of digital forensic readiness within the state or in a broader national context; it has the potential of enhancing public safety and the field at large

Literature based Cyber Security Topics: Handbook

Cyber security is the practice of protecting systems, networks, and programs from digital attacks. These cyber attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Cloud computing has emerged from the legacy data centres. Consequently, threats applicable in legacy system are equally applicable to cloud computing along with emerging new threats that plague only the cloud systems. Traditionally the data centres were hosted on-premises. Hence, control over the data was comparatively easier than handling a cloud system which is borderless and ubiquitous. Threats due to multi-tenancy, access from anywhere, control of cloud, etc. are some examples of why cloud security becomes important. Considering the significance of cloud security, this work is an attempt to understand the existing cloud service and deployment models, and the major threat factors to cloud security that may be critical in cloud environment. It also highlights various methods employed by the attackers to cause the damage. Cyber-attacks are highlighted as well. This work will be profoundly helpful to the industry and researchers in understanding the various cloud specific cyber-attack and enable them to evolve the strategy to counter them more effectively

A Domain Specific Language for Digital Forensics and Incident Response Analysis

One of the longstanding conceptual problems in digital forensics is the dichotomy between the need for verifiable and reproducible forensic investigations, and the lack of practical mechanisms to accomplish them. With nearly four decades of professional digital forensic practice, investigator notes are still the primary source of reproducibility information, and much of it is tied to the functions of specific, often proprietary, tools. The lack of a formal means of specification for digital forensic operations results in three major problems. Specifically, there is a critical lack of: a) standardized and automated means to scientifically verify accuracy of digital forensic tools; b) methods to reliably reproduce forensic computations (their results); and c) framework for inter-operability among forensic tools. Additionally, there is no standardized means for communicating software requirements between users, researchers and developers, resulting in a mismatch in expectations. Combined with the exponential growth in data volume and complexity of applications and systems to be investigated, all of these concerns result in major case backlogs and inherently reduce the reliability of the digital forensic analyses. This work proposes a new approach to the specification of forensic computations, such that the above concerns can be addressed on a scientific basis with a new domain specific language (DSL) called nugget. DSLs are specialized languages that aim to address the concerns of particular domains by providing practical abstractions. Successful DSLs, such as SQL, can transform an application domain by providing a standardized way for users to communicate what they need without specifying how the computation should be performed. This is the first effort to build a DSL for (digital) forensic computations with the following research goals: 1) provide an intuitive formal specification language that covers core types of forensic computations and common data types; 2) provide a mechanism to extend the language that can incorporate arbitrary computations; 3) provide a prototype execution environment that allows the fully automatic execution of the computation; 4) provide a complete, formal, and auditable log of computations that can be used to reproduce an investigation; 5) demonstrate cloud-ready processing that can match the growth in data volumes and complexity

A Framework for the Systematic Evaluation of Malware Forensic Tools

Following a series of high profile miscarriages of justice linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008 with a remit to improve the standard of practitioner competences and forensic procedures. It has since moved to incorporate a greater level of scientific practice in these areas, as used in the production of expert evidence submitted to the UK Criminal Justice System. Accreditation to their codes of practice and conduct will become mandatory for all forensic practitioners by October 2017. A variety of challenges with expert evidence are explored and linked to a lack of a scientific methodology underpinning the processes followed. In particular, the research focuses upon investigations where malicious software (‘malware’) has been identified. A framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), has been developed to address this lack of methodology to evaluate software tools used during investigations involving malware. A prototype implementation of the framework was used to evaluate two tools against a population of over 350,000 samples of malware. Analysis of the findings indicated that the choice of tool could impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts. Three different measures were used to evaluate the framework. The first of these evaluated the framework against the requirements and determined that these were largely met. Where the requirements were not met these are attributed to matters either outside scope or the fledgling nature of the research. Another measure used to evaluate the framework was to consider its performance in terms of speed and resource utilisation. This identified scope for improvement in terms of the time to complete a test and the need for more economical use of disk space. Finally, the framework provides a scientific means to evaluate malware analysis tools, hence addressing the Research Question subject to the level at which ground truth is established. A number of contributions are produced as the output of this work. First there is confirmation for the case for a lack of trusted practice in the field of malware forensics. Second, the MATEF itself, as it facilitates the production of empirical evidence of a tool’s ability to detect malware artefacts. A third contribution is a set of requirements for establishing trusted practice in the use of malware artefact detection tools. Finally, empirical evidence that supports both the notion that the choice of tool can impact on the number of artefacts observed in malware forensic investigations as well as identifying the optimal execution time for a given tool when observing malware artefacts

A Review Study On Some Cyber Security Related Topics

It is the protection of computer systems and networks from information disclosure, theft of, or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. The field has become of significance due to the expanded reliance on computer systems, the Internet and wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of smart devices, including smartphones, televisions, and the various devices that constitute the Internet of things (IoT). Cybersecurity is also one of the significant challenges in the contemporary world, due to the complexity of information systems, both in terms of political usage and technology. Its primary goal is to ensure the system's dependability, integrity, and data privacyIt is the protection of computer systems and networks from information disclosure, theft of, or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. The field has become of significance due to the expanded reliance on computer systems, the Internet and wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of smart devices, including smartphones, televisions, and the various devices that constitute the Internet of things (IoT). Cybersecurity is also one of the significant challenges in the contemporary world, due to the complexity of information systems, both in terms of political usage and technology. Its primary goal is to ensure the system's dependability, integrity, and data privac