DEVELOPING DIGITAL
FORENSIC PRACTITIONERS
Jason Jordaan
CFCE, CFE, PMCSSA, ACE
MTech (Forensic Investigation), BComHons (Information Systems), BSc (CJ Computer Science), BTech (Policing)
Head: Cyber Forensic Laboratory
Special Investigating Unit
South Africa
[email protected]
INTRODUCTION
• In an increasingly digital world, cyber crime is on the increase
and is placing significant strain on law enforcement and private
security resources
• Not only are cyber crimes on the increase, but more and more
conventional crimes are making use of, or are facilitated by
digital devices
• Digital evidence is present in virtually every crime committed,
and requires the skills of specialist digital forensics practitioners
to acquire, examine, and interpret for court purposes
• There is a significant need for digital forensic practitioners
around the globe, but a real shortage of these skills
A BRIEF HISTORY-1980’s
• The rise of computer crime in the 1980’s meant that
investigators began to look at computers as sources of evidence
• Law enforcement began initial training efforts in digital forensics
• FBI CART
• Federal Law Enforcement Training Centre
• London Metropolitan Police
• IACIS
A BRIEF HISTORY-1990’s
• The 1990’s saw the “birth” of the Internet as we know it today,
and increasing consumerisation of technology meant more
technology was involved in crimes, and the rapid growth in
Internet facilitated cyber crime
• The development standards by various law enforcement bodies
• Development and training expanded, but still primarilly within
law enforcement and government
• Some growth in private sector training and development
• SANS Institute
A BRIEF HISTORY-2000’s
• Cyber crime explodes in the 2000’s and the intergration of
technologies such as mobile devices expands potential sources
of technological evidence exponentially, as well as the use of
technology in criminality
• CSI makes forensic science “sexy”
• Digital forensics evolves from investigtive techniques to a full
forensic science
• Significant development in the private sector with regards
training courses and programs in digital forensics
• Development of formal academic programs at universities
around the world
DIGITAL FORENSICS COMPETENCIES
• Any development framework or development strategy must take
into account skill and knowledge competencies for the particular
occupation
• No established and generally recognised competencies for
digital forensic practitioners
• Some organisations have development competency frameworks
and models for digital forensics
• SANS
• DFCB
• IACIS
• National Cybersecurity Workforce Framework
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Knowledge of concepts and practices of processing digital
information.
• Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE,
MD5, SHA, 3DES).
• Knowledge of cyber crime response and handling
methodologies.
• Knowledge of network architecture concepts including topology,
protocols, and components.
• Knowledge of data backup, types of backups (e.g., full,
incremental), and recovery concepts and tools.
• Knowledge of legal governance related to information security,
computer monitoring, and collection.
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Knowledge of server diagnostic tools and fault identification
techniques.
• Knowledge of system administration concepts for Unix/Linux
and/or Windows operating systems.
• Knowledge of basic physical computer components and
architectures, including the functions of various components and
peripherals (e.g., CPUs, Network Interface Cards, data storage).
• Knowledge of binary analysis.
• Knowledge of file system implementations.
• Knowledge of Forensic Chain of Evidence.
• Knowledge of hacking methodologies in Windows or Unix/Linux
environment.
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Knowledge of substantive and procedural law dealing with cyber
crime and digital evidence.
• Knowledge of processes for packaging, transporting, and
storage of electronic evidence to avoid alteration, loss, physical
damage, or destruction of data.
• Knowledge of types and collection of persistent data.
• Knowledge of web mail collection, searching/analysing
techniques, and cookies.
• Knowledge of which system files (e.g., log files, registry files,
configuration files) contain relevant information and where to
find those system files.
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Knowledge of types of digital forensics data and how to
recognise them.
• Knowledge of deployable forensics.
• Knowledge of forensics in multiple operating system
environments.
• Knowledge of securty event correlation tools.
• Knowledge of legal governance related to admissibility (Criminal
Procedure Act, Civil Proceedings and Evidence Act, Electronic
Communications and Related Matters Act).
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Knowledge of electronic devces such as computer systems and
their components, access control devices, digital cameras,
handheld devices, electronic organisers, hard drives, memory
cads, modems, network components, connectors, pagers,
printers, removable storage devices, scanners, telephones,
copiers, credit card skimmers, facsimilie machines, global
positioning systems, and other miscellaneous electronic items.
• Knowledge of social dynamics of computer attackers in a global
context.
• Skill in analysing memory dumps to extract information.
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
• Skill in identifying, modifying, and manipulating applicavle
system components (Windows and/or Unix/Linux) (e.g.,
passwords, user accounts, files).
• Skill in processing, packaging, transporting, and storing
electronic evidence to avoid alteration, loss, physical damage,
or destruction of data.
• Skill in setting up a forensic workstation.
• Skill in using digital forensic tools (hardware and software).
• Skill in using virtual machines.
• Skill in disassembing PCs.
NATIONAL CYBER SECURITY FRAMEWORK
DIGITAL FORENSIC COMPETENCIES
•
•
•
•
Ability to decrypt digital data collections.
Skill in seizing and preserving digital evidence.
Skill in finding and extracting information of evidentiary value.
Skill in using scientfic rules and methods to solve problems
FINDING THE RIGHT PERSON
• A strong aptitude for information technology, science
and mathematics, and a genuine passion for digital
forensics
• A capacity for learning, and comfortable with ongoing
learning
• A strong desire to achieve mastery
• A strong sense of ethics and justice
• Attention to detail
• Good communication ability, both written and verbal
TERTIARY ACADEMIC PROGRAMS
• There has been a huge increase in the number of
universities around the world offering digital forensics
courses or degrees
• Many of these programs have practical shortcomings
in terms of content and lecturers
• Has created a situation where there are many digital
forensic graduates that still require extensive training
and experience before they can effectively function
as digital forensic practitioners
TERTIARY ACADEMIC PROGRAMS
• The number of universities around the world that offer
digital forensic programs that meet the real needs of
digital forensic practitioners is limited
• Most are postgraduate programs that build on a
strong undergraduate program in computer science
• Professional forensic science bodies have
established academic standards to ensure that
academic programs produce competent digital
forensic practitioners
TERTIARY ACADEMIC PROGRAMS
• The Forensic Science Society has developed
component standards in digital forensic science and
runs an accreditation scheme for academic
institutions
• The American Academy of Forensic Science’s
Forensic Science Education Programs Accreditation
Commission has undergraduate and postgraduate
digital forensic accreditation standards
TERTIARY ACADEMIC PROGRAMS
• The University of Pretoria, the University of
Johannesburg, and the University of Cape Town, all
offer a digital forensics module as part of a post
graduate qualification
• Two of the programs require an undergraduate
computer science/information systems degree
• None of these programs are specialised digital
forensics programs
• None of these programs meet either the AAFS or
FSS requirements
TERTIARY ACADEMIC PROGRAMS
• There is a need to develop a local post-graduate
academic program that is compliant with the AAFS or
FSS academic standards
• The program needs to be at least a MSc level, and a
undergraduate computer science degree as a
mandatory requirement
• There is a need to more closely align academic
research programs in the field of digital forensics with
the field of practice
VENDOR TRAINING
• Training provided by software/hardware vendors
• Focuses primarilly on the usage of the the specific
hardware/software
• Limited training on general forensic science principles
and digital forensic science principles
• Often important to demonstrate proficiency in the use
of a particular tool for court purposes
• Most hardware/software available in South Africa
through local distributors is supported by training
VENDOR NEUTRAL TRAINING
• Training in general forensic science and digital
forensic science
• Does not focus on the use of specific tools
• Provides foundation, and specialised skills and
knowledge of scientific processes and principles,
digital systems and artifacts, and the law
• This type of training is critical
• Limited in South Africa, but developing, for example
SANS 408 now available locally
CERTIFICATIONS
• A formal and independent process of validating skill,
knowledge and competency
• Tool specific (EnCE, ACE, MCE)
• Digital forensics (CFCE, GCFE, GCFA, CHFI)
• Test a standard body of knowledge
• Valid for a limited time period and require
recertification
• Certifications that are compliant with ANSI/ISO and
FSAB standards are preferable and more credible
CONTINUING EDUCATION
• Information technology, digital forensic science, and
law is constantly changing and evolving
• Digital forensic practitioners must be constantly
learning to stay current and competent in these
evolving fields
• Professional norms consider a minimum of 40 hours
of continuing professional education to be standard,
and there must be a balance between the various
digital forensics core knowledge areas
INTEGRATED DEVELOPMENT
• A strategy to develop digital forensic practitioners to
address skill and knowledge shortages
• Looks for potential rather than qualifications
• Combines technical training, certification programs,
and mentorship
• Medium term strategy
• Requires significant investment
• Develops competent digital forensic practitioners
INTEGRATED DEVELOPMENT
Year One
Selection
Process
Training and
Certification
A+, N+
and
Security+
Forensic
Acquisition
Mentorship and
Experience
Forensic
Acquisition
Forensic
Triage
INTEGRATED DEVELOPMENT
Year Two
Training and Certification
SANS 408
GCFE
Forensic
Examination
Mentorship
and
Experience
Forensic
Examination
INTEGRATED DEVELOPMENT
Year Three
Training and Certification
BCFE
CFCE
Forensic
Analysis
Mentorship
and
Experience
Forensic
Analysis
CONCLUSION
• Digital forensics has evolved from a technical
investigative discipline to a forensic science discipline
• Identifying the necessary competencies for digital
forensic practitioners are crucial as these guide
development activities
• Independent accreditation of practitioners assures
baseline competencies
• Foundation development is critical, and must be
continued through continuing development programs