Forensic ICT new version
The new forensic ICT unit has a re-drafted assignment and more material on RSA encryption and the choice of passwords. I’m trying to keep the same level of coverage of the tangled state of UK law, without getting too dry. And, above all, cut the amount of writing down while giving students chances to excel.
This is a note to myself and a backup on the Web more than anything – all typed on the Alphasmart while sitting on the train each day.
ICT v3
Revised assignment. Swap scen 3 and scen 2 and make the ACAS stuff less dry by use of case studies.
Assignment summary
Scenario 1: Define computer crime. Find three examples of recent, UK based, computer crimes of contrasting type and show how they fit your definition. List the laws broken in each of your examples and exlain the law briefly (not cut and paste). List the organisations involved in policing computer crime, and describe the processes that a person and a small business should use when reporting a computer crime.
Scenario 2: Research the phenomenon of hacking and computer addiction. Apply a taxonomy of hacker roles to a hacker of your choice. Comment on the usefulness of hacker taxonomies. Explain how the Internet works at a level appropriate to a small businessman. Name and explain the action of three different hacker tools of contrasting type and describe appropriate counter-measures
Scenario 3: Conduct a risk analysis for a small company based on a scenario you devise. Research the landmark cases that have shaped the UK law on privacy, communications monitoring and employment law regarding the Internet. Explain how the various laws involved interact and provide some best practice models for a small company. This work should be presented in the form of a PowerPoint presentation with speaker’s notes. You do not have to give the presentation.
Scenario 4: Carry out an investigation of a suspect device following an agreed protocol and provide a signed, printed witness statement recording your findings. Evaluate the main tools (e.g. EnCase) used by the forensic investigator and contrast these tools with the threat posed by hard drive cleaning software (EvidenceEliminator, Blanco) and the advent of encrypted hard drives with public keys coded in icroprocessors. Produce a risk analysis for a small company regarding evidence recovery by police due to employee activities.
Consultancy report
Your four completed scenarios should form the appendicies of a consultancy report aimed at a small company. The main body of your report should draw together the main messages under headings such as: The Problem; Future Developments; Where you want to be; How to get there.
The completed consultancy report, with appendicies and full referencing, will be e-mailed to the tutor as a single Word file of size less than 2Mb.
Session 1: The internet and society
Issue pack and assignment with calendar. Presentation on social impact of Internet. Activity: name 3 things that have changed because of the Internet; punchline: name one thing that has stayed the same!
Presentation: who runs the Inernet? ICANN, domain name system, w3, and so on. Look at Nominet.
Research: quiz on Internet history presented as a crossword puzzle.
Log in and check e-mail accounts. All send an e-mail to teacher.
Session 2: Web pages
Presentation: How the Web works.
Activity: make a simple Web page in Notepad that includes external links, three paragraph styles, some inline styles and an image linked from Web. Display in Web browser and check links. Change HTML code and notice how browser changes after refresh. Extension: use entity codes to disguise a message.
Plenary: look at the source code of some Web pages and pick out the main elements including recognising javascript code. Run thru’ the halifax.co.uk e-mail scam.
Log into Moodle and set up profiles. Access the HTML quiz and fill in evaluation.
Session 3: Crack the code
Present a simple coded message in ROT13 and work alone for 5 minutes. Then allow working in pairs for another 5 minutes. Then allow group and general sharing of information. Collate the cracked letters and see if we can get the formula. Invite class to factorise the number 127,967 into two prime numbers (check with Du Sautoy).
Debrief: When did you get the big picture? Answer: when we could work together. Timeline of hacking – in parallel with Internet and Web development. Hackers share information like currency.
Presentation: RSA cryptography. How to recognise a secure connection. Full public key encryption is expensive in processor time.Other methods available. Who monitors all work in number theory? The Grant prizes (check with Du Sautoy).
Log into Moodle and complete the code quiz and evaluation.
Session 4: The law and computers part 1
Presentation: How UK law works and why it is different to US law. Aspects of PACE and the Justice Act. CMA 1990. APIG updates to CMA. Sexual Offenses Act 2003, ‘grooming’ now a crime. DoS attacks anomaly.
Activity: The sad case of Nigel Smethwick. Discuss in groups. Post findings back into Moodle. Compare with others. Summarise and e-mail back to tutor before next lesson.
Homework: What is ELSPA and why is this organisation popular with trading standards officers?
Session 5: recent examples of computer crime
Presentation: ‘every crowd has a silver lining’.
Research activity: search the BBC News and The Register or other reliable sites for recent examples of computer crime. Each student to find 3 contrasting examples.
Classification/plenary: classify the crimes along two dimensions: old crimes in new ways vs new types of crime on one axis and relative severity on the other axis.
Homework: Log into Moodle and read ‘crime on the web’ by the geezer and answer questions before the next lesson.
Session 6: Issue scenario 1
Presentation: Structure the writing in the form of a short report. Use Mind Genius to plan the report in sections and agree headings for each section. Export to Word as an outline and upload as a file into Moode.
Individual: Draft and re-draft a definition of computer crime that is actually a definition. Each student to hand in a plan before the end of the lesson.
Record the definition as a response to a journal activity in Moodle.
Session 7: Hackers!
Presentation: the history of hacking, and the derivation of the term. Computer and networking culture as a new way of relating to machines. Notorious cases of hacking (Kevin Mitnick).
Activity: Work in pairs. Take the transcript of an interview and analyse the transcript using a taxonomy (Rogers, Fitch, another).
Plenary: Which taxonomy fits better, which seems to miss the point? Are modern commercial hackers less psychologically unusual than the older case histories?
Moodle: log in and add interview summary and analysis in terms of the taxonomy to the forum.
Session 8: How the internet works
Presentation: 4 layers, protocols, packets
Activity: The packet simulation with two messages flowing through nodes.
Plenary: Congestion, missed packets, logs holding distributed information.
Moodle: multiple choice quiz on how the internet works.
Session 9: History of the internet and the role of trust
Presentation: Universities in 1980s – not security aware. Spamming. USENET. Issues of freedom of speech from a US culturally specific viewpoint.
Activity: 1980s geek culture web tour and quiz. Look at Bruce Sterling’s hacker crackdown.
Discussion: How severe should punnishment of ‘exploratory’ hackers be?
Session 10: Hacker tools and methods
Presentation: anatomy of a typical incident. Main tools used (keyloggers, software disablers and so on, along with network tools including port scanners and packet sniffers).
Activity: Research the honeypot project. Find out about tripwires and the role of logging in server analysis.
Plenary: share information found in Moodle forum or wiki for this week.
Session 11: Psychology of computer and games addiction
Presentation: Not a crime in itself but spending a lot of time in front of the screen can lead to social isolation and criminality – any evidence?
Research: gaming addiction cases – any evidence of cross over into criminality? Online communities? Grooming?
Feedback: findings of research written as a ‘journal’ item in Moodle
Scenario 2: Launch
Presentation: Format of report planned in MindGenius and exported to Word. Uploaded by tutor into Moodle.
Individual: students download the template and start making notes under he headings. Tutor has individual tutorial (5 min) with each student to discuss progress and set a target.
Plenary: Agree date for e-mail of final report to tutor
Session 13: Risk analysis
Presentation: avoid drama and being the subject of headlines by managing the risks associated with online presence. Identify the main risks (people, network). Pay money to sort the network. People are harder. Pens and stationary: theft? Short phone call home: theft of service? Forwarding a naughty e-mail to colleagues: Publishing obscene material?
Activity: groups – case studies, different for each group.
Plenary: feedback on case study presentations
Moodle: upload brief notes – paragraph – in the forum.
Session 14: PowerPoint
Presentation: avoid death by powerpoint. The marketing guru’s approach (left brain auditory, speaking, right brain, visual, images). Using graphics and custom animation for maximum effect. Speaker’s notes. Export to Word as outline.
Activity: use a digital camera to make photos of hazards. Use as backdrop to slides.
Moodle: log-in and evaluate session in the journal
Session 15: ACAS guidance and risks
Presentation: employee risks and the ACAS guidance. Acceptable use policy. Need for agreement from employees for e-mail monitoring (RIPA) balance with assumption of personal confidentiality (human rights).
Activity: scenarios (one for each group) discussed in groups – draft advice to managers. Upload advice into Moodle.
Plenary: Law in the workplace gets complex! List the laws concerned and produce checklist for managers.
Session 16: Disaster strikes!
Presentation: disaster recovery strategies. Need to have a policy about backups. What is your backup strategy?
Activity: Disaster strikes – devise advice for a management on how to avoid loss of data. Research simple clear advice on the Web. Post results back to forum.
Plenary: review the checklists found and comment on the similarities. Can we boil this down to one side of A4 in bullet points? What would we put on a poster about backups for students?
Session 17: Who owns you e-mail?
Presentation: Your digital history is important and it may not be obvious who owns your e-mail. RIPA has led to clauses in contracts of employment. There have been some odd cases about e-mail recently. All ISPs are being asked to keep records on dial-in and sites visited and to keep e-mail for two years under new regulations (check this).
Activity: case studies in groups. Was the outcome reasonable and proportional to the damage caused?
Activity 2: One half: Draft some advice to employers about e-mail and surveillence. Other half: draft some advice to trade unionists about RIPA and the confidentiality regs.
Plenary: Employers vs Unions? Post the checklists into Moodle.
Session 18: Scenario 3
Presentation: summarize the content that should be in the PowerPoints, emphasise the need to expand on slides using the speaker’s notes.
Session 19: How a computer works
Presentation: block diagram of the main components of a computer. Zone in on the storage media as the main area of concern to forensic investigators. Vocabulary needs to be explained. Intel architechture now dominates the personal computer market (Windows, Linux and now Apple) – point out perils of monoculture. Role of BIOS and device drivers. Device drivers not glamorous and often written by contract programmers – poor code quality.
Activity: Each student gets a word. Research word/acronym and draft and re-draft a definition. Post to Moodle wiki for this session.
Plenary: Label the diagram – make the poster of the computer.
Session 20: The hard drive
Presentation: Modern hard drives are LARGE. The next version of windows (Vista) will support chip encrypted hard drives. How information is stored on a hard drive – use FAT but mention that NTFS is far more common. Explain slack space, swap file and point out that modern hard drives on office/admin machines almost never fill up.
Activity: make a poster about hard drives. Do the hard drive quiz.
Plenary: Research other storage devices (USB, cards, floppies, cameras, PDAs &c).
Session 21: Checksums and passwords
Presentation: Good passwords – have mix of capitals, lower and numbers. An 8 character password is one of 862 random combinations, around 1056 alternatives. If you only use 8 lowercase letters, then you have 826 different possible patterns, around 1023 different patterns – hugely quicker to crack. Mention dictionary cracking, and the need to avoid dictionary words.
Activity: work in pairs to devise an easy to remember but hard to crack password for Ettoire Scagalia, the absent minded accountant. Use Ettoire’s personal information as supplied. You may need to leave the country rapidly, as Ettoire’s friends and business assoicates in Palermo will know that you know the password….
Plenary: compare passwords. Use a security check web site to see how secure the passwords are.
Presentation: MD5 checksums – how to keep track of digital evidence. Checksum maths. Demo using a Web form based checksum generator – change one byte and the sum changes. Hash coding passwords – seeding the hash with e.g. membership number so the hash is harder to reverse engineer. Hash code dictionaries on the Web – again a case where enhanced storage causes problems.
Activity: research MD5 and SHA checksum algorithms.
Plenary: post findings to Moodle forum.
Session 22: How to secure computer based evidence
Presentation: ACPO guide to collection of electronic evidence. Need to train front line staff as decisions that are made at 3am in a badly lit house/office with shouting going on may adversely affect the value of evidence. Study carefully the pros and cons of pulling the mains lead out of computers (i.e. not ‘shutting down’). Link to previous knowledge of swap files and slack space and so forth. Link to PACE and later updates (see evening blog)
Activity: groups look at case studies (need 4 or 5) and decide what the officers should do.
Plenary: Pool advice on the different cases. What about storage? iPods? Cameras? Tell anecdote about the Maxwell case (the FSS officer who pieced together the cross-cut shredded documents…)
Moodle: log in and evaluate
Session 23: DOS
Presentation: the command prompt. Basic DOS commands. DIR command and switches. Redirection. Wildcards. File timestamps – the three types of timestamp.
Quiz: wildcard puzzle. Point out wildcards can be used in the Windows find as well.
Activity: Use the C++ IDE to shell out to a DOS session. Run the commands that list all the .jpg files on the computer to a text file called image.txt or similar. Load the file back into EDIT and compare the results. What directory has most of the images? Can you find images downloaded from the Internet?
Plenary: Present some screen shots showing the output of typical Unix command lines – demo grep, lsmod and pipe. Point out issues with the timestamp especially the ‘touched’ attribute.
Quiz: show screenshots of various timestamps. Students have to work out the squence of events (ie image copied ffrom camera to computer, modified, dumped onto USB storage).
Session 24: Suspect device
Work in pairs. Choose a device (USB storage, camera, pda, laptops). Work through the protocol for that device. One person makes notes and the other carrys out commands. Notemaker must be very clear what commands are being issued and note these in correct order and note results.
End up with file lists, timestamp information.
Plenary: piece together the story from the various audit trails on the devices. Clock that the times on the devices may not be accurate or syncrhonise. Work out adjustments.
End of session: Moodle for evaluation. Type up notes in a standard witness format. Print and sign.
Session 25: Encase and evidence eliminator
Presentation: Encase demo and what it can do. Link with MD5 checksums and swap files / slack space. Then mention evidence eliminator and how that may cause problems for EnCase. Look at scrubbing software (‘blanco’) used by companies and charities who recycle computers. widen net to include backups and so on.
Activity: discussion – should we allow people to purchase software like blanco or evidence eliminator? What if Maxwell’s sons had simply burned the evidence instead of using a shredder?
Research: Check data salvage companies for prices and types of data recovery sevice available.
Plenary: Moodle – post findings onto forum.
Session 26: Scenario 4
Presentation: write a plan for the explanation and evaluation of the techniques used by forensic investigators. Steer students towards EnCase/Evidence eliminator comparisons.
Activity: Check and sign witness statement (p6). Start work on the report for (m6).
Presentation: Risk analysis for the gaffer of a small company. Employee activity on company network results in company loosing computers/data as police take evidence.
Activity: research police attitudes to employee misuse of corporate network. Find examples.
Session 27: The Future
Presentation: show slides of previous attempts to predict the future (clive sinclair’s C5 &c). Ubiquitous Computing – mobile devices with more and more computing power and better network connectivity. Solid state data storage with seeded RSA encryption. Fridges on the Web (show the example of the Japanese Granny Kettle if it is still around).
Activity: Provide individuals with post-it notes. Ask to brainstorm likely future developments in next 7 to 10 years. Post on window and look for connections. Gather post-its for transcription.
Plenary: mention format of the consultancy report and remind that D4 needs evidence for some of the future developments!
Volunteers: transcribe the post-its onto Moodle wiki
Session 28: Demographics
Presentation: the fastest growing Web user base is in China and the most popular operating system for desktops is Red Flag Linux. Show screens in Big 5 Chinese. India and the Mumbai call centre culture, graduate quality staff for $200 a month. Digital Divide, how access to online services can distinguish people. $100 laptop from Negroponte’s project – current status and future impact given wireless local loop.
Activity: pick a trend and try to get some hard statistical evidence from web. Post quotable sources to Moodle.
Plenary: Remind that this section of D4 is only 800 words – draft and redraft. Check by e-mail if needed.
Session 29: Portfolio
Presentation: Check through skill requrements (p1, m1, d1, p3, m3, d3) and make screen grabs of e-mails. Arrange to send e-mails to class members if not covered.
Activity: personal tutorial on portfolio construction. Reminder of need for a coherent consultant report to introduce the appenicies (scen 1 &c).
Session 30: Hand in
Completed portfolios should be e-mailed to tutor as single Word files below 2 Mb in size before the start of this lesson. Those who fail to make the deadline loose re-grade opporitunity.
Agree timescale for return of assignment and regrading with students on an individual basis.
Unit evaluation form.