DEVELOPING DIGITAL FORENSIC PRACTITIONERS Jason Jordaan CFCE, CFE, PMCSSA, ACE MTech (Forensic Investigation), BComHons (Information Systems), BSc (CJ Computer Science), BTech (Policing) Head: Cyber Forensic Laboratory Special Investigating Unit South Africa

INTRODUCTION In an increasingly digital world, cyber crime is on the increase and is placing significant strain on law enforcement and private security resources Not only are cyber crimes on the increase, but more and more conventional crimes are making use of, or are facilitated by digital devices Digital evidence is present in virtually every crime committed, and requires the skills of specialist digital forensics practitioners to acquire, examine, and interpret for court purposes There is a significant need for digital forensic practitioners around the globe, but a real shortage of these skills

A BRIEF HISTORY-1980’s The rise of computer crime in the 1980’s meant that investigators began to look at computers as sources of evidence Law enforcement began initial training efforts in digital forensics FBI CART Federal Law Enforcement Training Centre London Metropolitan Police IACIS

A BRIEF HISTORY-1990’s The 1990’s saw the “birth” of the Internet as we know it today, and increasing consumerisation of technology meant more technology was involved in crimes, and the rapid growth in Internet facilitated cyber crime The development standards by various law enforcement bodies Development and training expanded, but still primarilly within law enforcement and government Some growth in private sector training and development SANS Institute

A BRIEF HISTORY-2000’s Cyber crime explodes in the 2000’s and the intergration of technologies such as mobile devices expands potential sources of technological evidence exponentially, as well as the use of technology in criminality CSI makes forensic science “sexy” Digital forensics evolves from investigtive techniques to a full forensic science Significant development in the private sector with regards training courses and programs in digital forensics Development of formal academic programs at universities around the world

DIGITAL FORENSICS COMPETENCIES Any development framework or development strategy must take into account skill and knowledge competencies for the particular occupation No established and generally recognised competencies for digital forensic practitioners Some organisations have development competency frameworks and models for digital forensics SANS DFCB IACIS National Cybersecurity Workforce Framework

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Knowledge of concepts and practices of processing digital information. Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE, MD5, SHA, 3DES). Knowledge of cyber crime response and handling methodologies. Knowledge of network architecture concepts including topology, protocols, and components. Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. Knowledge of legal governance related to information security, computer monitoring, and collection.

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Knowledge of server diagnostic tools and fault identification techniques. Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). Knowledge of binary analysis. Knowledge of file system implementations. Knowledge of Forensic Chain of Evidence. Knowledge of hacking methodologies in Windows or Unix/Linux environment.

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Knowledge of substantive and procedural law dealing with cyber crime and digital evidence. Knowledge of processes for packaging, transporting, and storage of electronic evidence to avoid alteration, loss, physical damage, or destruction of data. Knowledge of types and collection of persistent data. Knowledge of web mail collection, searching/analysing techniques, and cookies. Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Knowledge of types of digital forensics data and how to recognise them. Knowledge of deployable forensics. Knowledge of forensics in multiple operating system environments. Knowledge of securty event correlation tools. Knowledge of legal governance related to admissibility (Criminal Procedure Act, Civil Proceedings and Evidence Act, Electronic Communications and Related Matters Act).

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Knowledge of electronic devces such as computer systems and their components, access control devices, digital cameras, handheld devices, electronic organisers, hard drives, memory cads, modems, network components, connectors, pagers, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimilie machines, global positioning systems, and other miscellaneous electronic items. Knowledge of social dynamics of computer attackers in a global context. Skill in analysing memory dumps to extract information.

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Skill in identifying, modifying, and manipulating applicavle system components (Windows and/or Unix/Linux) (e.g., passwords, user accounts, files). Skill in processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. Skill in setting up a forensic workstation. Skill in using digital forensic tools (hardware and software). Skill in using virtual machines. Skill in disassembing PCs.

NATIONAL CYBER SECURITY FRAMEWORK DIGITAL FORENSIC COMPETENCIES Ability to decrypt digital data collections. Skill in seizing and preserving digital evidence. Skill in finding and extracting information of evidentiary value. Skill in using scientfic rules and methods to solve problems

FINDING THE RIGHT PERSON A strong aptitude for information technology, science and mathematics, and a genuine passion for digital forensics A capacity for learning, and comfortable with ongoing learning A strong desire to achieve mastery A strong sense of ethics and justice Attention to detail Good communication ability, both written and verbal

TERTIARY ACADEMIC PROGRAMS There has been a huge increase in the number of universities around the world offering digital forensics courses or degrees Many of these programs have practical shortcomings in terms of content and lecturers Has created a situation where there are many digital forensic graduates that still require extensive training and experience before they can effectively function as digital forensic practitioners

TERTIARY ACADEMIC PROGRAMS The number of universities around the world that offer digital forensic programs that meet the real needs of digital forensic practitioners is limited Most are postgraduate programs that build on a strong undergraduate program in computer science Professional forensic science bodies have established academic standards to ensure that academic programs produce competent digital forensic practitioners

TERTIARY ACADEMIC PROGRAMS The Forensic Science Society has developed component standards in digital forensic science and runs an accreditation scheme for academic institutions The American Academy of Forensic Science’s Forensic Science Education Programs Accreditation Commission has undergraduate and postgraduate digital forensic accreditation standards

TERTIARY ACADEMIC PROGRAMS The University of Pretoria, the University of Johannesburg, and the University of Cape Town, all offer a digital forensics module as part of a post graduate qualification Two of the programs require an undergraduate computer science/information systems degree None of these programs are specialised digital forensics programs None of these programs meet either the AAFS or FSS requirements

TERTIARY ACADEMIC PROGRAMS There is a need to develop a local post-graduate academic program that is compliant with the AAFS or FSS academic standards The program needs to be at least a MSc level, and a undergraduate computer science degree as a mandatory requirement There is a need to more closely align academic research programs in the field of digital forensics with the field of practice

VENDOR TRAINING Training provided by software/hardware vendors Focuses primarilly on the usage of the the specific hardware/software Limited training on general forensic science principles and digital forensic science principles Often important to demonstrate proficiency in the use of a particular tool for court purposes Most hardware/software available in South Africa through local distributors is supported by training

VENDOR NEUTRAL TRAINING Training in general forensic science and digital forensic science Does not focus on the use of specific tools Provides foundation, and specialised skills and knowledge of scientific processes and principles, digital systems and artifacts, and the law This type of training is critical Limited in South Africa, but developing, for example SANS 408 now available locally

CERTIFICATIONS A formal and independent process of validating skill, knowledge and competency Tool specific (EnCE, ACE, MCE) Digital forensics (CFCE, GCFE, GCFA, CHFI) Test a standard body of knowledge Valid for a limited time period and require recertification Certifications that are compliant with ANSI/ISO and FSAB standards are preferable and more credible

CONTINUING EDUCATION Information technology, digital forensic science, and law is constantly changing and evolving Digital forensic practitioners must be constantly learning to stay current and competent in these evolving fields Professional norms consider a minimum of 40 hours of continuing professional education to be standard, and there must be a balance between the various digital forensics core knowledge areas

INTEGRATED DEVELOPMENT A strategy to develop digital forensic practitioners to address skill and knowledge shortages Looks for potential rather than qualifications Combines technical training, certification programs, and mentorship Medium term strategy Requires significant investment Develops competent digital forensic practitioners

INTEGRATED DEVELOPMENT Year One Selection Process Training and Certification A+, N+ and Security+ Forensic Acquisition Mentorship and Experience Forensic Acquisition Forensic Triage

INTEGRATED DEVELOPMENT Year Two Training and Certification SANS 408GCFE Forensic Examination Mentorship and Experience Forensic Examination

INTEGRATED DEVELOPMENT Year Three Training and CertificationBCFECFCE Forensic Analysis Mentorship and Experience Forensic Analysis

CONCLUSION Digital forensics has evolved from a technical investigative discipline to a forensic science discipline Identifying the necessary competencies for digital forensic practitioners are crucial as these guide development activities Independent accreditation of practitioners assures baseline competencies Foundation development is critical, and must be continued through continuing development programs