Professional Documents
Culture Documents
Master's Degree in Digital Forensics: Lponte@mail - Ucf.edu Whicomb@mail - Ucf.edu
Master's Degree in Digital Forensics: Lponte@mail - Ucf.edu Whicomb@mail - Ucf.edu
Master's Degree in Digital Forensics: Lponte@mail - Ucf.edu Whicomb@mail - Ucf.edu
1. Introduction
Digital Forensics has been called both a profession and a science that involves the identification, preservation, extraction, documentation, and interpretation of digital media for evidentiary purposes [15]. Business and industry use digital forensics to assemble information within their own businesses regarding intellectual property theft, fraud, network and computer intrusions, and unauthorized use of computers and other digital media. Law enforcement agencies employ digital forensics to gather digital evidence for a variety of crimes including child pornography, fraud, terrorism, extortion, cyberstalking, money laundering, forgery, and identity theft. Government agencies utilize digital forensics in ensuring compliance with relevant administrative regulations. Military and government intelligence agencies use digital forensics to collect intelligence
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007 1530-1605/07 $20.00 2007 IEEE
digital forensics professionals will help to gain further trust of and respect for the field of digital forensics. The backlogs of criminal and civil cases will increase as computers continue to permeate nearly every corner of everyday life, and as criminals, terrorists, and those engaged in civil wrongdoing become more proficient in the use of computers to further their illegal activities. The inability to efficiently prosecute criminals and terrorists or to bring appropriate civil actions because of a lack of educated personnel can only have negative effects upon our nations safety, security, competitiveness, economic stability, and sense of due process.
3. Student Outcomes
The 30-hour degree is composed of five required core courses, four elective courses (selected from a predefined set of courses), and a graduate internship. As required by the University guidelines, 15 of the 30 hours of course work must be taken at the 6000 level. (5000-level courses are open to both senior undergraduate and graduate students, whereas 6000level courses are graduate student only courses). It is a fact of academic life that departments usually work on a tight budget, therefore, administration frowns upon newly proposed courses that overlap with existing courses. This constraint required us to draw upon existing courses from several departments across the university. This not only provides the degree with a very multidisciplinary flavor, but also allows the degree program to draw upon the strengths of the various departments, which include engineering technology, computer science, chemistry, criminal justice and legal studies. The philosophy of the curriculum is to provide each student with: 1. 2. Technical computer skills, including detailed knowledge on computers and networks; Digital forensics knowledge and skills covering all aspects of the field, including all procedures to be used in the identification, collection, and examination/analysis of digital evidence from a myriad of digital devices; Criminal and civil legal issues so that the student understands the legal implications that may occur as a result of his/her actions; Numerous practical experiences to reduce the transition time from student to working professional.
3. 4.
In 2003, the National Institute of Justice created a committee composed of academicians and industry practitioners from the various forensic sciences to develop a model forensic science curriculum. This curriculum was published as Education and Training in Forensic Science: A Guide for Forensic Science Laboratories, Educational Institutions, and Students. The curriculum was targeted at biological and physical sciences, as the core requirements are fairly homogenous. What was not included was digital forensics, as the subject matter and student outcomes are significantly different from the traditional forensic sciences. As a consequence, in 2005 the National Institute of Justice created a similar committee Technical Working Group for Education and Training in Digital Forensics to develop a model curriculum for associate, undergraduate, and graduate degrees in
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007
digital forensics. The model curriculum was completed in early 2006, and will be published as Education and Training in Digital Forensics: A Guide for Forensic Science Laboratories, Educational Institutions, and Students. The Technical Working Group on Education and Training in Digital Evidence identified important professional student outcomes for undergraduate and graduate degrees in digital forensics. These objectives include: 1. 2. 3. 4. 5. 6. 7. Preparation for becoming a digital forensics professional Opportunities to establish a network of digital forensics contacts An educational background directly linked to the work in a digital forensics laboratory Exposure to the breadth of forensic science disciplines Acculturation into the digital forensics and justice communities Provision of a foundation for professional certification Emphasis on a wide range of courses (e.g., public speaking, ethics, and statistics) that may not be required in the curriculums of other natural science majors
e.
f. g.
h.
4. Curriculum
The required courses provide students with a technical background required to be a proficient examiner. These courses include: a. CHS 5503: Topics in Forensic Science (Dept. of Chemistry: three credits) This course covers the history of forensic science, basic forensic science principles as applied in various forensic specialties; current issues in digital evidence and professionalism. b. Computer Forensics I (Dept. of Computer Science: three credits) Covers the seizure and forensic examination of computer systems. Legal issues regarding seizure and chain of custody. Technical issues in acquiring computer evidence. Popular file systems are examined. Reporting issues in the legal system. c. Computer Forensics II (Dept. of Computer Science: three credits) This course covers the concepts of computer system security models, fundamentals of computer networking and the layered protocol architectures, detection and prevention of intrusion and attack, digital evidence collection and evaluation, and the legal issues involved in computer forensic analysis. d. CET 6000: Operating Systems and File Systems Forensics (Dept. of Engineering Technology:
i.
three credits) The course will provide students with a practical understanding of various operating systems, file systems, and applications that are relevant to digital forensics processes. CET 6001: Practice of Digital Forensics (Dept. of Engineering Technology: three credits) This is a capstone course where students demonstrate the ability to incorporate the knowledge and skills from previous courses. CET 6946: Graduate Internship (Dept. of Engineering Technology: three hours minimum). Elective Set 1: These courses provide a background on the legal and ethical issues. i. PLA 5587: Current Issues in Cyberlaw (Dept. of Legal Studies: three credits) Advanced examination and discussion of free speech, copyright, trademark, patent and privacy issues in the online environment through interactive class discussions, online discussions, postings, case study reviews, and legal research projects. ii. CJE 5688: Cybercrime and Criminal Justice (Dept. of Criminal Justice: three credits) Deals with the problem of cyber crime and the criminal use of the Internet. Includes investigation, enforcement and legal issues. Elective Set 2: These courses provide a background on courtroom/expert testimony a culmination of the examiners work. Student must choose a minimum of one of two courses. i. CHS 5518: Collection/Examination of Digital Evidence (Dept. of Chemistry: three credits) This course will cover the nature of Digital Evidence collection and examination under the constraints of Law and courtroom procedures. ii. CHS 5596: Forensic Expert in the Courtroom (Dept. of Chemistry: 3 credits) A study of the uses of technically and scientifically trained expert witnesses at trial. Elective set three: These courses provide specialized technical expertise. Students must choose a minimum one of two. i. CET 6000: Incident Response Technologies (Dept. of Engineering Technology: three credits) This course deals with computer intrusions and network attacks. ii. CAP 6133: Advanced Topics in Computer Security and Computer Forensics (Dept. of Computer Science: three credits) This course deals with current issues in computer security.
Students must select an additional three-hour course to complete their coursework requirements. Appropriate courses would include technical courses (such as computer security or incident response), legal
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007
studies or criminal justice (such as online privacy laws or crime scene investigative techniques), or accounting courses (such as forensic accounting). Allowing students some leeway in the selection of their electives provides them with the opportunity to truly tailor their degree to their interests or current profession. Electives are typically three-hour credit courses.
other intellectual property from a companys computer. Finally, an examiner in the military or intelligence communities may be responsible for identifying and recovering plans for poisoning a major water system from computers seized from a terrorist organization. Graduates from UCFs Graduate Certificate in Computer Forensics have been placed in a variety of positions. Several graduates now work as examiners for local law enforcement agencies. Other graduates now work as examiners for Federal law enforcement agencies, including the Drug Enforcement Agency and the FBI. Several graduates work in the private sector and industry in the capacity of systems and/or network administrators.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007
However, digital forensics is fast becoming an essential aspect of civil litigation, including employment, commercial and intellectual property disputes as well as government regulatory actions concerning online privacy and deceptive consumer practices [9][11][1]. Parties to civil cases or administrative actions are now calling upon digital forensics experts to examine and recover e-mails and documents stored on individual computers or network servers to prove their cases for damages and/or injunctive relief [9][11][1]. In addition, the judiciary is experimenting with the use of virtual courts in handling civil lawsuits in which some or all evidence will be supplied digitally [10][14]. As this demand grows, so will the need for digital forensics investigators with an understanding of the civil discovery process, civil liability claims, and civil court and administrative law procedures. At a Masters level, students need to consider their role in a broader context, moving beyond the practical demands of the field to an in-depth understanding of the evolving legal, social, and policy issues in cyberlaw. Unlike many other areas of law, cyberlaw is unsettled and still in its early development. Digital forensics graduates must be equipped to play influential roles in those future advancements as well as prepare for potential roles as instructors or researchers. In a Masters in Digital Forensics program, faculty should engage their students in a manner that encourages them to explore, examine, and debate cutting edge legal and ethical issues in the online environment [8][13]. Some key areas for inquiry include Internet governance and regulation, free speech, defamation, obscenity, copyright, trademark, patent, security, professional ethics, and privacy issues [8][13]. In oral and written formats, graduate students should be able to synthesize different perspectives and articulate their own views on these online topics. A challenging Masters curriculum should advance the participants critical analysis and thinking skills through a review of seminal court cases and case studies, interactive class discussions, online discussion postings, and substantive research projects. Graduates of digital forensics programs can play important roles in the development of cyberlaw and forensic practice if their education intertwines their technological skills with a comprehensive knowledge and understanding of substantive and procedural law as well as current legal and ethical policy concerns.
equally well in both technical and non-technical ways. For instance, examiners must be able to communicate with technical peers (other examiners) to describe the procedures used and their findings. Our experiences suggest that our technically-inclined students from computer-related fields have little trouble expressing themselves technically, but often have difficulty in explaining technical details to lay persons. (In our experience, formal, written reports are not a strong tradition in many, if not most, computer-related university courses, which may be part of the problem) In contrast, we found students with less technical backgrounds (law enforcement, criminal justice, etc.) have more trouble in expressing themselves in technical terms. Communication ability is an acquired skill, which mandates that all courses in the degree include written communication (e.g. written forensic reports) where the student must write a technical section as well as a non-technical section that is understandable to judges, attorneys, and jurors. It is important that each students communication ability is assessed throughout the program so that each graduates with the requisite skill. Oral communication is just as important as writing skill as many examiners are required to testify in front of a jury as part of their duties. The degrees capstone course, Practice of Digital Forensics, includes a moot court where students are required to create an exhibit for a case on which they have worked. The moot court is usually held in an actual courtroom over a weekend to provide a realistic setting. During the moot court, students are exposed to an hour of cross-examination conducted by retired Federal agents, local law enforcement agents, and attorneys. Moot court provides students an element of realism and a realistic job preview of an examiner. Perhaps most importantly it allows students to demonstrate their ability to communicate orally and think on their feet.
9. Delivery
There will be a two-stage delivery of the curriculum. In the first year approximately half of the courses will be taught in a purely distance learning format. The remaining courses will be delivered through a hybrid format, i.e., face-to-face with supporting learning technologies. In year two we expect to have our degree entirely online. All of the current faculty members participating in the program have successfully completed a course provided by the UCF Distance Learning Department on how to develop online courses. The online format provides several advantages over traditional classroom delivery, including the ability to reach non-traditional, working and mature students and the ability to reach a geographically
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007
dispersed student population. We expect our primary student population to be working professionals who are incapable of taking time off during the day to attend live courses. A disadvantage to online courses is that students do not have access to laboratories with the special hardware and software that is frequently encountered in the profession of digital forensics. From our experience, we have found that there are several methods of providing students with real-world type of assignments that obviates the need for special hardware and software. The first is to structure assignments so that students are able to download evidence (typically forensic images of floppy disks, CD disks, and even small hard drives that have been compressed to reduce download time). The students then use free and/or Open Source tools that run under Linux (which is itself free) to conduct forensic analyses. One perceived drawback is that most of these tools require knowledge of the Linux command line, as most tools do not come with a graphical user interface. We believe this to be an advantage: students are forced to work at a level closer to the operating system and file system, resulting in a more intimate familiarity with each. We predict that perhaps 25-50% of students will enter the program with some Linux experience. Nevertheless, we have found that students are quickly able to learn the commands required to complete assignments. The second method is to require students to spend a short, intensive laboratory period onsite at the end of the semester for certain classes, particularly the computer and network-based classes. Here students will spend eight to ten hours a day for several days working with special hardware and software that they are likely to encounter in digital forensics practice. We are also considering holding flexible lab periods so that students can select from several weekends at the end of the semester for those students to accommodate all students.
(FBI) and over 20 years of combined experience of digital forensics as law enforcement officers.
11. References
[1] B. A. Howell, Digital Forensics: Sleuthing on Hard Drives and Networks, 31 Ver. B. J. & L. Dig. 39, 2005. [2] Department of Justice, Computer Crime & Intellectual Prop. Section, Criminal Div., Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, 2002, available at http://www.cybercrime.gov/s&smanual2002.htm (last visited June 7, 2006). [3] E. Kenneally, Confluence of Digital Evidence and the Law: On the Forensic Soundness of Live-Remote Digital Evidence Collection, UCLA J. L Tech. 5 (2005). [4] Federal Rules of Evidence (F.R.E.) 702, 901. [5] Federal Trade Commissions Official Website http://www.ftc.gov (last visited June 12, 2006). [6] Graduate Certificate in Digital Forensics, University of central Florida, available at http://ncfs.ucf.edu/home.html (last visited June 7, 2006). [7] Institute for Security and Technology Studies, Dartmouth College, Law Enforcement Tools And Technologies for Investigating Cyber Attacks: A National Needs Assessment, Dartmouth College, Hanover NH, 2002. [8] L. Burgunder, Legal Aspects Of Managing Technology, 3rd ed., New York, Thomson South-Western, 2004. [9] L. M. Arent, R. D. Brownstone & W. A. Fenwick, EDiscovery: Preserving, Requesting & Producing Electronic Information, 19, Santa Clara Computer & High Tech. L. J. 131, December, 2002. [10] L. M. Ponte, The Michigan Cyber Court: A Bold Experiment in the Development of the First Public Virtual Courthouse, 4 N.C. J. L. & Tech. 51 (Fall 2002). [11] Mark Ballard, Digital Headache, E-discovery costs soar into the millions, and litigants seek guidance, 25 NATL L. J. A18 (February 10, 2003). [12] O. S. Kerr, Searches and Seizures in a Digital World, 119 HARV. L. REV. 531, (2005). [13] R. A. Spinello, CyberEthics: Morality and Law in Cyberspace, New York, Jones and Bartlett, 2003. [14] S. C. Sandstrom & A. Bloomberg, An ancient art jazzed by high tech, 3, Leg. Tech. News 1, Spring 2002. [15] W. G. Kruse II and J. G. Heiser, Computer Forensics: Incident Response Essentials. Addison-Wesley, 2002.
10. Faculty
Interdisciplinary programs require interdisciplinary teams of faculty members. Faculty members teaching courses in the degree include five full-time tenuretrack/tenured professors, two non-tenure track professors, one instructor, and one adjunct instructor. It was clear from the outset that the professional realworld nature of the degree would require that the program have faculty members with real-world experience in law enforcement and digital forensics. Consequently we have hired two non-tenure track faculty members who have 15-20 years of law enforcement experience at the state and Federal levels
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 2007