Computer Security and Computer Forensics

1
Computer Security and Computer Forensics
Dr John Haggerty Network and Information Security
Technology Lab (NISTL), Liverpool John Moores
University J.Haggerty_at_ljmu.ac.uk http//www.cms.l
ivjm.ac.uk/cmpjhagg/
2
Outline of talk

• Background
• My philosophy
• What constitutes computer security versus
  computer forensics?
• Problems in teaching both computer security and
  computer forensics
• The perfect module/programme?
• Future issues and directions that can be brought
  into a course
• LJMU initiatives

3
My background

• Lecturer in Computer Security and Computer
  Forensics at LJMU
• Teach modules in security and forensics
• Developed and now Programme Leader for BSc (Hons)
  Sandwich Computer Forensics at LJMU
• Chair of Advances in Computer Security and
  Forensics (ACSF) conference more later
• Computer security and forensics background
• Academic research
• Practitioner experience
• I hope to be a bit contentious in this talk!

4
My foolosophy

• Computer security and computer forensics are
  distinct but complementary fields
• Hopefully, will demonstrate this during the talk
• Computer security is deterministic
• Computer forensics is multi-disciplinary
• Is computer forensics vocational or just computer
  science by another name?
• New academic research area brings problems
• Forensics free-for-all with security papers
  masquerading as forensics

5
Research-informed teaching
Conception of Knowledge Objective and separate
from knowers
Disciplinary Research culture
Departmental Learning milieu
Conception of Teaching Teacher focused,
information transmission
A. Brew, Teaching Research New relationships
and their implications for inquiry-based teaching
and learning in higher education, Higher
Education Research Development, vol. 22, no. 1,
2003.
6
Research-informed teaching
Forensics Vocational/Practitioner input?
Disciplinary Research culture
Academics
Students
Departmental Learning milieu
Knowledge transmission
7
Computer security - definition

• Computer security is the preservation of system
  confidentiality, integrity and availability
• Some researchers have broadened this definition
  to include access control, authentication,
  authorisation, etc.
• Well defined and accepted area
• Focus on the preservation of system security
• In real life, aims to reduce the economic cost of
  an attack or threat of attack

8
Computer forensics - definition

• Computer forensics the study of how people use
  computers to inflict mischief, hurt, and even
  destruction (Mohay et al, 2003)
• The application of computer investigation and
  analysis techniques to determine potential
  evidence (Li Seberry, 2003)
• No accepted definition
• Focus on investigation and analysis
• To determine responsibility for an event/set of
  events
• Legacy of law enforcement focus
• But is being adopted outside this domain

9
Security vs. forensics activities

• Security versus forensics activities (caveat -
  depending on the focus of the investigation!)

Worms
Data source analysis
Firewalls
Mobile Device forensics
HD analysis
DoS/ DDoS
Access Control
Hacking
Investigation frameworks
Evidence collection
Intrusion detection
Incident Response
Fraud investigation
Mobile code/agents
Packet Spoofing
Law
Imaging
DRM
Cryptography
Log analysis
Impersonation
Port Scanning
Restoring deleted evidence
Hostile Code
Anti-Virus
Spam
Data theft analysis
Privacy
Security
Forensics
10
Computer security timeline

• Iterative process
• Focus on system integrity

Security planning policies
Deploy countermeasures
Fix problem/ Ensure no repeat
Problem discovered
Problem analysis
11
Computer forensics timeline

• Linear process
• Focus on culpability/responsibility

12
Problems teaching forensics

• Security, and its benefits, are well known
• Forensics less so
• Teaching contradictory activities
• e.g. hacking, anti-forensics, etc.
• Often wearing two hats which is problematic
• e.g. views on Vista encryption
• Have to educate university colleagues to
  re-assure them of the benefits of forensics

13
The perfect forensics module?

• Spans the computing spectrum (IS -gt SE)
• Fit lecturers interests to student abilities
• Make use of free tools in labs
• As always, assume no knowledge
• CSI doesnt count ?
• I have forensic science students on my modules
• Can only introduce a broad subject
• Suggested lecture topics (no security per se)
• What is computer forensics?, basics of HD/storage
  media, legal aspects, uses of computer forensics,
  procedures, Windows, Unix, network forensics,
  ethics, data hiding, investigating fraud, future
  issues

14
The perfect programme?

• Rooted in computer science with specialist
  modules
• Not all students will work in forensics after
  graduation
• Forensics lab is required
• Complement existing modules
• e.g. programming, architecture, networks, etc.
• Suggested specialist topics/modules
• Year 1 Introduction to computer forensics,
  introduction to general law, scientific methods
• Year 2 Use of computer forensics tools,
  developing investigations, IT law, development of
  forensic tools
• Year 3 Computer security, network security,
  advanced IT law, advanced computer forensics

15
Future challenges

• Academia well placed to meet future challenges to
  the field (throw out the goalposts?)
• To name a few
• Move to mobile/pervasive networked devices
• Expanding memory availability
• User security
• Secure networked applications (e.g. Skype)
• Investigatory procedures/frameworks in corporate
  environments
• The law and technology (geo-political borders)
• Multi-disciplinary nature of the field

16
Future directions

• Possible areas to bring into a computer forensics
  module/programme
• Some future directions of the field
• Process automation
• Development of scalable tools and techniques
• Development of standards outside law enforcement
• Understandable and applicable investigation
  frameworks
• Security with accountability
• Multi-disciplinary approaches encompassing law,
  technology and trust

17
LJMU initiatives

• Practitioner talks
• Get to know your local practitioners, police,
  etc.
• Multimedia resources
• Videos, MP3 downloads, etc.
• Advances in Computer Security and Forensics (ACSF
  2008) conference sponsored by IET
• Opportunity to meet with practitioners and
  researchers
• Students attend for free!
• Poster session by undergraduate/MSc students to
  present their projects at next conference

18
Summary

• Computer security and computer forensics are
  distinct but complementary fields
• As both fields are distinctive, wearing two hats
  can be problematic
• The perfect (?) computer forensics module will
  have very little computer security input but
  computer security should be included in the
  perfect (?) computer forensics programme
• Bring in future issues/directions of the field
  into the module and programme