National Forensics Training Center “A National Impact for Mississippi State University” Dave Dampier Department of Computer Science and Engineering What is the threat? Identity Theft Theft of Trade Secrets Using corporate networks to launch attacks on others Fraud Embezzlement ???? History of Digital Forensics Earliest notion of digital forensics came when the Federal Rules of evidence first started to discuss digital evidence in the 1970s Real digital forensics investigations started in the mid-to late 1980s when federal agents had to start figuring out ways to search computers for digital evidence This “home-grown”, bottom-up approach continued until the late 1990s when security researchers at universities and labs started to figure out that this problem was big enough to warrant investigation. Research groups sprung up across the country starting around 2000 or 2001. The first Digital Forensics Research Workshop (DFRWS) was held in Utica, NY in August 2001. Digital Forensics Early at MSU Initial work in digital forensics started at MSU in 2002. We managed to catch the “crest of the wave” Lots of training and lots of research led to first class in Spring 2003. Class has been held at least once per year since. 2003-2006 spent building a “real” capability in digital forensics. Several M.S. and Ph.D. graduates by 2006. National Forensics Training Center (NTFC) – Funded by DOJ beginning in 2005. Trains state and local law enforcement in cyber crime issues and basic tools and techniques of digital forensics investigation. Introduced more advanced training starting in late 2006, and have continued to build capability ever since Wounded Warrior Training introduced in 2008: An NSF Funded Initiative under the Cyberinfrastructure Training, Education, Advancement, and Mentoring for Our 21st Century Workforce (CI-TEAM) Program Digital Forensics Now at MSU Graduate Research Five active PhD students at various stages of research One will graduate in December. Two more will likely graduate by next December Eleven active M.S. students: four doing thesis, others doing projects Classes are always at capacity Introductory Digital Forensics offered at least once per year Advanced Digital Forensics offered at least once every other year Freshman Seminar Forensics offered each Fall This includes all aspects of forensics. Students are exposed to digital forensics for three weeks in October. Background on Law Enforcement Support Since 2005, MSU has managed a unique and successful Computer Crime and Digital Forensics training program to support state and local law enforcement. Feds not prohibited, but not invited either. Through varied DOJ Grants ~ $10M has been used to support our Digital Forensics Training and our ongoing partnership with Mississippi Attorney General. Funding supports an MSU coordinated Forensics Training Center that trains local and state law enforcement across the US. Provides no cost training for law enforcement officers, prosecutors, and trial judges on current technical issues associated with computer crime. About 5000 trained in 34 states. Funds a state of the art integrated Cyber Crime Fusion Center (CCFC) in Jackson MS. FBI, Secret Service, Postal Inspectors, Attorney General’s Office, MSU cooperate in a Cyber Crime Fusion Center. 6 Law Enforcement Training Training conducted at MSU/Ole Miss/JSU/Siller’s Building or at student’s location when enough students are guaranteed Course offerings: Computer Forensics Primer Introduction to Cyber Crime and Digital Forensics Practical Training in Computer Forensics Search and Seizure of Computers and Electronic Evidence: Law Enforcement Search and Seizure of Computers and Electronic Evidence: Trial Judges Introduction to Digital Forensics for Prosecutors Advanced Digital Forensics Network Forensics Open Source Tools for Forensics Commercial Tools for Forensics Special Topics in Forensics Investigation Planning FBI Image Scan Classes Cell Phone Training NFTC Staff Director Dave Dampier, PhD Instructors Kendall Blaylock, MS, IS (Lead) Wes McGrew, MS, CS, Pursuing PhD in CS Sherita Sekul, MPA, Former AG Forensics Investigator April Tanner, PhD, Jackson State University Research Assistants Dae Glendowne, PhD Student Chris Ivancic, PhD Student Contract Instructors John Fretts, Retired Law Enforcement Officer Keith Leavitt, Law Enforcement Officer, Active Forensics Examiner We Developed University Partners National Forensics Training Center St Cloud State University University of Texas at Tyler California Polytechnic Pomona University of Washington University of West Georgia (Relationship just beginning) For Wounded Warrior Digital Forensics Training Mississippi State University (lead) Auburn University Tuskegee University National Impact 34 states have at least one trained. 5 states have current training center. 18 host sites have hosted training. National Impact States affected: Alabama, Arkansas, Alaska, California, District of Columbia , Delaware, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, New Hampshire, New York, North Carolina, North Dakota, South Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Virginia, West Virginia, Washington Remote Classes taught in: Alabama, Arkansas, Alaska, California, Florida, Georgia, Idaho, Indiana, Maryland, Michigan, Minnesota, Tennessee, Texas, West Virginia Currently in negotiation with Connecticut State Police to have a class Tishomingo Tippah IMPACT Labs/Equipment Laboratories Webster Strategically Placed Equipment Noxubee Future Equipment Adding Cell Phone capability in more places Jefferson Amite 56 of 82 counties affected. Wounded Warrior Training Leveraged NFTC successes Partnered with Auburn/Tuskegee $1M effort for 3 years Partnering with Defense Cyber Crime Center for follow-on training Classes have been held at WRAMC; Ft Benning, GA, Ft. Knox KY, Ft. Carson CO; Ft Lewis WA, Norfolk Naval Hosp; Redstone Arsenal, Jackson VA Hospital, Ft. Sam Houston TX, and more to come…. Wounded Warrior Training Curriculum When we started, we had three tracks of instruction to accommodate backgrounds Track 1: Do not have a background in computing (24 hours) Track 2: Good understanding of hardware and software basics (56 hours) Track 3: Those students that need advanced digital forensics training (40 hours) Lessons learned caused us to modify this training to two basic tracks: Track 1 + Track 2 (72 hours) Track 3 (32 hours) Curriculum Details Introduction to Computers: This three day block will introduce the student to computer architecture, disk formatting, common software packages, operation of the computer, and an introduction to computer security concepts (firewalls, malicious code protections, spam, browsers, audit logs, and accountability). During this block of instruction, students will disassemble and reassemble both desk top and laptop computers. Introduction to Cyber Crime: This two day block of instruction is designed to teach the student proper search and seizure techniques, data hiding techniques (e.g., steganography, X-box modification, wireless external drives, etc.), proper bag and tag procedures, chain of custody, and proper procedures in conducting a forensics investigation. Digital Forensics Tools and Techniques: This is an intensive, hands on three day block of instruction that teaches students the proper operation of digital forensics hardware and software tools. The majority of hardware and software tools available to practicing digital forensics investigators will be used during this block. This includes a Forensic Recovery of Evidence Device (FRED) system, Image Masster and Logicube hardware for imaging purposes, an Airlite forensics kit, write blockers, Linux/Unix tool sets, Encase forensics software, AccessData’s Forensics ToolKit (FTK), Coroner’s tool kit, Autopsy, Sam Spade tool kits and others. The emphasis of this block is practical application of the digital forensics trade. Curriculum Details Business Practices: This block is designed to train the student on the cost of entering the digital forensics business, programs offered by the US Department of Veteran’s Affairs that can assist in establishing a small business, return on investment, and pricing structures. The cost tradeoffs of purchasing commercial versus using freeware are discussed and advantages/disadvantages of each strategy are presented. Practical Experience Exercise: This is a one day “live fire” exercise where students are required to conduct a digital forensics investigation and demonstrating competency throughout the entire cycle of events – from search and seizure to evidence discovery and preservation. Advanced Forensics techniques: This three to five days of additional training is necessary for those that intend to work for the government or that wish to be independent consultants. This additional week of instruction will cover cell phone forensics, PDA forensics, Windows forensics, and network forensics. Success Stories PhD student at MSU conducted initial investigation into “Electronic Tribulation Army” hacker preparing for massive infrastructure attack on July 4, 2009, and as a result, FBI quickly made the arrest and prevented the attack. Columbus, MS Crime Lab up and running with provided equipment and training. Lee County, MS Sheriffs Office now has fully functional computer forensics laboratory. More than a twenty convictions on child exploitation cases as a direct result of FTC training and equipment Providing backup forensic examinations on fraud and racketeering cases for MS AG’s office Oxford, MS PD has convictions on child exploitation cases as a direct result of FTC training and equipment Assisted MS Attorney General by: Increasing investigative staff by one Helping prepare proposal for Internet Crimes Against Children Task Force Increasing capability to handle cell phones and small devices Reducing requests for outside assistance through regional labs Increased Secret Service (Jackson office) capacity to work cases by providing the laboratory space in the CCFC Some wounded warriors are now working in digital forensics investigative agencies. Contacts at MSU Dave Dampier, Director, Center for Computer Security Research and Director, National Forensics Training Center, dampier@cse.msstate.edu, 662-325-2756 National Forensics Training Center Kendall Blaylock Wes McGrew 662-325-2422 http://www.msu-nftc.org