DESIGN AND IMPLEMENTATION OF DIGITAL FORENSICS

LABS
A case study for teaching digital forensics to undergraduate students
Hongmei Chi, Edward L. Jones, Christy Chatmon and Deidre Evans
Department of Computer and Information Science, Florida A&M University, 1333 Wahnish Way,
Tallahassee FL 32307-5100, USA
hchi@cis.famu.edu ejones@cis.famu.edu cchatmon@cis.famu.edu deidre.evans@famu.edu

Keywords:

Digital forensics, hands-on labs, FTK, open source, security education.

Abstract:

Teaching digital forensics in a college has always been a challenge, especially when hands-on labs are basic
elements of the course. Software and hardware are expensive for digital forensics. This paper addresses
some of these challenges of identifying forensics tools of appropriate cost and functionality. We focus on

inspiring the interest of students with diverse backgrounds, and giving students hands-on experiences
that enhance their pursuit of careers in information assurance or law enforcement. We present a
pragmatic approach to teaching digital forensics, motivated by the growing demand for a professional
workforce.

INTRODUCTION

When our daily lives rely more and more on

digital information, we are more susceptible to
attacks. Computer crime impacts our ordinary lives
deeply, creating new challenge for our law
enforcement officers and forensic examiners. Ninety
percent of current crimes involve computers in some
way. Fortunately, when computer criminals commit
crime, they also leave a lot of clues, digital evidence
in forensics. We need digital forensics professionals
to capture and classify digital evidence [7].
Digital forensics plays an important role in crime
reconstruction. The need for computer forensic
professionals and technicians is growing rapidly,
leading to a radical growth in digital forensic
education and training over the past ten years [6].
The core of these training programs is to develop a
set of suitable hands-on digital forensic labs [5].
The main step to train students who prepare to be
computer forensic professionals, lies in creating a
comprehensive approach to computer forensics
education. The goals of this paper work are to
address how we set up a digital forensics course, and
to establish a series of hands-on computer forensic
labs that facilitate student entre into the law
enforcement workforce. This paper focuses on
designing and implementing hands-on computer

forensic labs for undergraduate students or law

enforcement professionals who take our classes.
Given a well-planned approach, and despite limitation
of funding, we create a series of labs that utilize easily
obtained tools and open source codes.

Students entering this field face a steep learning

curve. Hands-on labs help student to grasp quickly
core content and topics [4]. Through this paper, we
will show the example for designing labs that help
the students or trainees to better understand digital
forensics step by step. In addition, we manage the
labs for different level students.

MOTIVATION

Our department has a positive track record in

Information Assurance education. Since its
introduction, the IA track has enjoyed the demand
and throughput shown in Table 1. Additional IAS
courses have been introduced to meet growing
demand for digital forensics and for elective courses
suitable for other majors such as criminal justice.
This paper reports on our efforts to increase the
capacity of the IA program to meet the demand from
CIS majors, and to move towards cross-disciplinary
programs with STEM and other disciplines.

Our department has an opportunity to expand

to meet the needs of the university. Because
computing is so pervasive, the university has the
obligation to educate its faculty, its students, and the
public about the risks of information technology as it
relates to privacy and rights. IA is one of the first
aspects of computing that impacts directly on the
average U.S. citizen. The mandate to serve the
community is compelling.

2.1

IA Education

This paper discusses the design and

implementation of hands-on labs for undergraduate
students who first explore the nature of digital
forensics. These labs will be designed step by step
so that increased participation of minorities in digital
forensics is expected, given the large number of
Criminal Justice majors and the high demand for the
information assurance courses at FAMU. This
project is expected to populate a pipeline of students
who are prepared to pursue graduate study in digital
forensics or enter the digital forensics professional
workforce.

In August 2003, NSF awarded the CIS

Department an Information Assurance (IA) Capacity
Building grant. This collaborative project with
Florida State University resulted in a comprehensive
three-course undergraduate information assurance
and security (IAS) curriculum track that was
certified by NSA and CNSS in November 2004 as
having implemented two CNSS training standards,
NSTISSI 4011 (Information Assurance Professional)
and NSTISSI 4014 (Information Systems Security
Officer Entry Level). As shown in Table 1, the
IAS track is in great demand by students and, to
date, nearly 60 students have earned certificates.

Table 1. Demand for IA Courses at FAMU

Figure 1. Competencies for forensics professionals.
IA Courses

2005 2006 2007 2008 2009

Intro to Computer
Security

30

24

30

18

27

Network Security &

Cryptography

17

22

11

16

11

Applied Security

38

21

40

17

15

12

16

17

29

Digital Forensics
#Certificates

N/A N/A
5

10

2.2 Digital forensics

The first area of expansion for the highly
successful IA program is digital forensics, for which
there are large numbers of students in other
disciplines such as criminal justice. There is also an
opportunity to serve the local law enforcement
workforce. The cross-disciplinary concentration in
digital forensics prepares students for professional
certification and entry into the computer/digital
forensics workforce.

The skills [13] needed by a digital forensics

professional fall into the areas shown in Figure 1..
This education is inter-disciplinary, combining
criminal justice and computer sciences. Our
introduction to digital forensics course is taken by
many majors from criminal justice. It is a challenge
to convey computer concepts to students with a
limited knowledge of computers. We take two steps
to accommodate non-CIS majors: first we introduce
relevant computing concepts and terminology briefly
in lectures; secondly, we design hands-on labs for
students to apply these concepts directly to tasks
related to digital forensics.
We utilize two types of lab assignments. The
first set of labs is designed for majors in criminal
justice, who have less computing knowledge and
experience. These hands-on labs focus on Windows,
so that students can feel comfortable using the
computer in a way they probably have not done
before. This step eases the transition to the next set
of more highly technical labs. The second set of labs
involves the use of the Windows and Linux
environment, for which CIS are majors are more
familiar. Lab assignments are performed by mixed

student teams, to ensure that teams have the subject

matter expertise and technical knowledge to
complete the assignments. Additional benefits of
mixed teams are the opportunity and necessity of
learning from one another.

Certain techniques and procedures have to be

established in the quest of evidence identification,
preservation, extraction, documentation, and
interpretation. Individual lab work is designed to
help students understand these procedures, learn
some fundamental techniques, and practice them
first hand.

HANDS-ON LABS
Table 3. Digital Forensic Tools for Lab

One of the critical steps to train students who

prepare to be computer forensic professionals, lies in
creating a comprehensive approach to computer
forensics education [1,2]. This paper focuses on
designing and implementing hands-on computer
forensic labs for students or law enforcement
professionals. Through this section, we address how
to create labs that help the students or trainees to
better understand computer forensics step by step.

Tool
Access
Data
Forensic
Toolkit
(FTK)[12]

4.1 Tools
Commercial tools for digital forensics are
expensive for any college, with an average cost of
$3,000 -$5,000 per license. With limited funds, it is
unrealistic to spend $50,000 to purchase commercial
tools for one course. Because new tools are being
released into the market, this investment would be
required on a regular basis. Fortunately, there are
many open source and freeware forensics tools
available. Tables 2 and 3 contain lists of tools we
use, along with their major features.
Table 2. Encryption/Decryption Tools for Labs

Tool
Cain Abel
SAMinside
John The Ripper
Camouflage

Helix[8]

Sleuth
Kit[9]

Features

Imager
Registry viewer
Password recovery
Query searching
Data carving
Integrated viewers and media
player to view any set of data.

Imager
Password recovery
Cookie viewer
Internet history viewer
Registry viewer
File recovery
Protected storage viewer
Scan for pictures

Create timeline of file activity

Sorts files based on file type,
performs extension checking
and hash database lookups
Analyze image partition
structures process data units at
content location

Features

Password recovery for

Windows

Password recovery for

Windows

Password recovery for

Windows and Linux

Digital steganography

Because students for any major are familiar with

passwords, one of the first hands-on labs involves
tracking and recovering passwords. Many students
are quickly surprised to know how easily their own
passwords can be cracked.

4.2 Lab Assignment Design

Disk editor
Data recovery
Analyze and compare files
Disk cloning
Drive and file wiper
Encryption

Log
Parser[10]

View event log

View the registry
Use queries to retrieve valuable
information from data

Paraben
demo [11]

cell phone forensics

email investigation

WinHex

The design of these lab experiences incorporates

an understanding of the tasks a computer forensic
professional may be called to do, and the

professional practices that must be followed to

ensure legitimate results.

1.

We consider the labs from four aspects of

investigations:
1. email investigation;

Who is Joe Jacob's supplier of marijuana,

and what is the address listed for the
supplier?

2.

What crucial data are available within the

coverpage.jpg file, and why is this data
crucial?

3.

What (if any) other high schools besides

Smith Hill does Joe Jacobs frequent?

4.

For each file, what processes were taken by

the suspect to mask them from others?

5.

What processes did you (the investigator)

use to successfully examine the entire
contents of each file?

2. web activities investigation;

3. window registry; and
4. live and memory investigation

4.3 Sample Labs

For each lab, we have to define the objectives for
the lab, such as acquiring an image for analysis or
recovering passwords. The challenging part for us is
to find real data for students to practice their skills
after a few fake data labs. A honeynet project
website (http://www.honeynet.org/challenges) is
very useful. A real challenge case study is posted
there every month. The purpose of these challenges
is to help the security community develop the
forensic and analysis skills to decode real attacks.
We used the Scan24 challenge case study, which has
the following introductory scenario:
Joe Jacobs, 28, was arrested yesterday on
charges of selling illegal drugs to high school
students. A local police officer posed as a high
school student was approached by Jacobs in the
parking lot of Smith Hill High School. Jacobs
asked the undercover cop if he would like to buy
some marijuana. Before the undercover cop
could answer, Jacobs pulled some out of his
pocket and showed it to the officer. Jacobs said
to the officer "Look at this stuff, Colombians
couldn't grow it better! My supplier not only sells
it direct to me, he grows it himself."
..
Jacobs has denied selling drugs at any other
school besides Smith Hill and refuses to provide
the police with the name of his drug
supplier/producer. The police have imaged the
suspect's floppy disk and have provided you with
a copy. They would like you to examine the
floppy disk and provide answers to the following
questions.
Retrieved from web site:
http://old.honeynet.org/scans/scan24/report.txt
We designed the lab to support this case study,
and used some of the case study questions for
students to answer.

Most students completed this lab unassisted, and

reported that they enjoyed the assignment.
All hands-on labs can be categorized two types:
Level-1 and Level-2 hands-on labs. Level-1 labs are
for non-majors; those labs are designed for students
to master computer terms and prepare for them to
complete level-2 (major labs) hands-on labs.
One of our hands-on labs is designed to use
SAMinsider to crack different levels of complexity
of passwords. The purpose of this lab is to use
cracking tools to discover vulnerabilities in
password weakness. Understand the importance in
LM Hash (Lan Manager) password weaknesses. For
non-major students, there are a lot of jargons, so we
design a Level-1 lab to help student to understand
SAM (Security Account Manager) and LM hash and
complexity of passwords. This lab work better for
non-major students comparing to lecture only
session. Students can master concepts easily.
In summary, the principles of those labs are
designed and modified according to background and
knowledge of our students. The final goal is to let
students, no matter what major they are studying, to
grasp the major concepts of digital forensics.

5 RESPONSES FROM STUDENTS

Anecdotal feedback from students is very
positive. The last question in the final exam for this
class is "Write down the most interesting topics that
you have learned from this class." Several responses
are presented next:
The different tools used in all labs were the
most interesting. FTK and other tool[s] allow

investigator[s] to find out evidence from many

different file types including encrypted files.
The most interesting part was to learn how to
uncover hidden information from computer.
The hands-on experience labs make use of
FTK, Helix and Slueth Tools. Being able to act
as investigator is very interesting. I would like to
work as [in a] digital forensics related job.
The labs use these real-world cases that are
from the wild, real hacks. Solving those real
challenge cases are inspired me. I would like to
work at digital forensics related job in [the]
future.
The most interesting part of this class is handson labs. Network forensics, botnet and honeynet
and malware transmission through the internet is
a costly problem that can eventually become the
biggest homeland security threat.
Many students are inspired to learn more
about digital forensics and would like to work as
digital forensics professionals. Among those
students, some of them already come from law
enforcement, and some of them are non-majors.
Students generally agree that hands-on labs contain
the most useful materials for this course, and that the
labs help them to grasp difficult concepts and
procedures more easily. Among lectures, projects
and hands-on labs, students rate the hands-on labs
highest. In our term project, we ask students to
design their own lab assignment based on one or two
open source tools. It turns out that most students can
complete their term project with limited supervision.
This skill will be helpful when they will become a
professional after they graduate.

CONCLUSIONS

We have discussed our principles and ideas of

creating hands-on labs for different levels of
students in a digital forensics course, given the
constraint that the tools used come from free
sources. In the future, we will continue to work with
most popular forensics tools and create more labs
that exploit the features of these tools to expand the
design variations we want students to experience [3].
In addition, we will improve existing labs and
continuously retrieve student feedback to make labs
better learning tools and more student-friendly.
Future work will also be focused on making certain

that the labs are adaptable to different levels of

student expertise and ambition. Open-ended labs
provide rich experiences for motivated students, and
the results of out-of-the-box explorations extend the
depth of future lab assignments. We will focus how to
permeate our security education into a set of hands-on
labs playing games, such as phishing education [14]
and network security labs as CyberCIEGE [15]. In

addition, we will design and develop in-house games

to use in hands-on labs [16].

ACKNOWLEDGMENTS
The authors recognize the contribution of
graduate student Jude Desti in implementing many
of the hands-on labs. This work has been supported
in part by U.S. Department of Education grant
P120A080094, and by NSF Minority Institutions
Infrastructure grant CNS-0424556.

REFERENCES
[1]. Austin, R. D. 2007. Digital forensics on the cheap:
teaching forensics using open source tools.
Proceedings of the 4th Annual Conference on
Information Security Curriculum Development
(InfoSecCD'07), September 28, 2007, Kennesaw,
Georgia, ACM, New York, NY, 1-5.
[2] Batten, L. and Pan, L. Teaching Digital Forensics to
Undergraduate Students. IEEE Security and Privacy 6,
3 (May. 2008), 54-56.
[3] Lawrence, K. and Chi, H. Framework for the design
of web-based learning for digital forensics labs,
Proceedings of the 47th Annual ACM Southeast
Regional Conference, March 19-21, 2009, Clemson,
SC.
[4] Manson, D., Carlin, A., Ramos, S., Gyger, A.,
Kaufman, M., and Treichelt, J. Is the Open Way a
Better Way? Digital Forensics Using Open Source
Tools. In Proceedings of the 40th Annual Hawaii
International Conference on System Sciences (HICSS
2007), January 3-6, 2007, Waikoloa, Big Island,
Hawaii, USA. IEEE Computer Society. 266.
[5] McGuire, T. J. and Murff, K. N. 2006. Issues in the
development of a digital forensics curriculum. Journal
of Computing Sciences in Colleges. 22, 2 (Dec. 2006),
274-280
[6] Yasinsac, A., Erbacher, R. F., Marks, D. G., Pollitt, M.
M., and Sommer, P. M. Computer Forensics

Education. IEEE Security and Privacy 1, 4 (Jul. 2003),

15-23.
[7] Wassenaar, D., Woo, D., and Wu, P. 2009. A
certificate program in computer forensics. Journal of
Computing Sciences in Colleges 24, 4 (Apr. 2009),
158-167.
[8] Helix - Incident Response & Computer Forensics Live
CD by e-fense&trade, Inc. Downloaded from
http://www.e-fense.com/helix/index.php on 8/15/2008.

[13] Volonino, L., Anzaldua, R., and Godwin, J.

Computer Forensics-Principles and Practices,
Prentice Hall, 2006, ISBN: 0131547275.
[14] Heng, S., B. Magnien, P. Kumaraguru, A. Acquisti,
L.F. Cranor, J.I. Hong, E. Nunge. Anti-Phishing Phil:
The Design and Evaluation of a Game That Teaches
People Not to Fall for Phish. In the Proceedings of
Symposium on Usable Privacy and Security (SOUPS
2007).

[9] The Sleuth Kit & Autopsy: Digital Investigation Tools

for Linux and other UNIX environments.
Downloaded from
http://www.sleuthkit.org/sleuthkit/desc.php on
8/15/2008.

[15] Cone, B. D., Irvine, C. E., Thompson, M. F., Nguyen.

A Video Game for Cyber Security Training and
Awareness. Computers & Security 26, 1 (February
2007), 63-72

[10] LogParser 2.2 Documentation. Downloaded from

http://www.iis.net/downloads/default.aspx?tabid=34
&g=6&i=1287 on 8/15/2008.

[16] Chi, H and Jones, E. Broadening Information

Assurance Awareness by Gaming. 2nd International
Conference on Computer Supported Education
(CSEDU 2010), Valencia Spain, April 7-10, 2010.
Submitted.

[11] Paraben Forensics Tools. Downloaded from

http://www.paraben-forensics.com/ on 8/15/2008.
[12] AccessData - Forensic Toolkit 2.0. Downloaded
from
http://www.accessdata.com/downloads/media/Access
Data_Forensics_Brochure.pdf on 8/15/2008.