Future of Digital Forensics: A Survey of Available Training

Future of Digital Forensics: A Survey of Available Training A. Evans, A. Williams, and J. Graham Computer Science Department, Norfolk State University, Norfolk, VA USA Abstract The field of forensics is multidisciplinary by nature, founded on the disciplines of criminology and information technology. However, most course work leading to a foundation in the field are offered within the Chemistry and Biology disciplines in addition to Computer Science. Regardless of the framework in which the courses are offered, the coursework itself must address social, legal, and ethical considerations for practitioners. In an effort to satisfy the different needs associated with forensics, there are different avenues one can pursue when seeking training in the field. Our research has identified 37 computer-related programs including some two-year associate degrees, fouryear baccalaureate programs, graduate certificate programs, and non graduate certificate programs. First, we briefly define digital forensics. Second, we then discuss the different schools and what is unique about their programs. Third, we will discuss the certification programs that are available for those not interested in obtaining a degree. Keywords- forensics investigations; electronic discovery (ediscovery); emulation learning (elive); digital forensics; education 1. Introduction As computer crimes have increased in numbers, so has the need for professionals within the field of digital forensics. The need to understand computer systems, how they operate, as well as how to attempt to keep them secure, remains of high importance. It is also important to understand computer forensics. After a computer system has been compromised and a crime has taken place, there is a need for a computer forensics investigation to follow. Computer forensics often gets mistaken for computer security and therefore anyone studying computer science can benefit from understanding not only the definition of computer forensics, but also its importance. Digital forensics differs from computer security which refers to securing computers against malicious attacks. It is also not the same as using computers to solve crimes. Criminal forensics techniques include matching fingerprints, ballistic testing, and DNA matching. By adding the ability to practice proper computer forensics techniques, it will help to ensure the overall integrity and survivability of the network s infrastructure. In addition, practicing good computer forensics techniques will help your organization, if you consider computer forensics as one of the basic elements in what is known as a defense-in-depth approach to network and computer security. 2. What is digital forensics? Digital forensics is a branch of forensic science that was developed to meet an urgent need in the early 1990s. It consists of the recovery and investigation of material found in digital devices, often in direct relation to a computer crime. The term digital forensics was mainly used to refer to computer forensics but has expanded over the years to cover all devices capable of storing digital media and today is used to describe the entire field. National policies were developed in the early 2000s and now investigations can fall into one of four categories. Forensic analysis is probably the most common category. Within this category evidence is recovered to support or oppose a hypothesis before a criminal court. This could easily be confused with evidence gathering, where material is intended to identify other suspects/crimes. Then there is the electronic discovery (ediscovery). This is a form of discovery related to civil litigation and intrusion investigation. ediscovery is an investigation specifically designed to examine the extent of an unauthorized network intrusion. The technical side of investigations can be broken down into several subbranches; computer forensics, network forensics, database forensics and mobile device forensics. An active investigation can utilize any number of the fields combined. Computer forensic scientist or technicians are considered to be on the cutting edge within the criminal justice field. With the increase of cybercrime, cyber-terrorism, identity theft, and Internet child predators, computer forensic scientists are needed to track what were once thought to be traceless criminals. Computer forensic scientists are called on for many different agencies to be successful. Their expertise is needed for work with law enforcement officials, legal teams, independent companies and the government to conduct investigations, retrieve evidence and sometimes

even testify in court. Computer forensic scientists remain in a high demand because of their thorough practical knowledge of computers, networks, hacking, data retrieval, information security, and computer surveillance. They are also perceived to be well trained in ethics as well as criminal justice topics like confidentiality, privacy laws and evidence handling. In most cases a computer forensics investigator will be required to work independently. There are some instances when forensic investigators will be under the direct supervision of a computer forensic scientist; however. forensic investigators should not only expect to work independently, they should also be prepared to work under stressful situations. Digital forensics is not limited to identifying direct evidence of a crime, it can also be used to link evidence to specific suspects, confirm alibis or statements, determine criminal intent, or identify sources in copyright cases. With digital forensics, the investigations are broader in scope than other areas of forensic analysis. The digital forensic process is made up of the seizure, forensic imaging and analysis of digital media. Once all is said and done, there is a report produced documenting the digital evidence for the courts or an employer. 3. Degree Training Programs Offered The research performed for this paper uncovered 38 computer forensics-related programs including two-year associate degrees [7, 11, 14, 15, 18, 21, 22], four-year baccalaureate programs [3, 5, 7, 8, 26, 38], master s degree programs of study [11, 25, 26, 32], graduate certificate programs [10, 23, 24, 32, 33] and non-graduate-level certificate programs [1, 2, 4, 6, 9, 13, 16, 17, 19, 20, 25, 27, 28]. 3.1 Associate Degree Programs In an effort to satisfy the different needs associated with forensics, there are different avenues one can pursue when seeking training in the field. At the City College of Chicago [37], they offer several programs leading to an Associate in Applied Science degree (A.A.S.) for information Technology. They also offer a Basic Certificate in Computer Security and Forensic Investigation (CSFI). Their CSFI program was particularly interesting in that it covered two areas of interest, Information Security and Computer Forensic Law Enforcement. The Information Security area of emphasis focuses on the design, implementation and management of the information security in the corporate environment. This course prepares their students for the Certified Information Systems Security Professional (CISSP) Exam. The CISSP certification is nationally recognized. The area of emphasis that focuses on Forensic/Law Enforcement focuses mainly on the computer forensic investigation and provides law enforcement personnel, criminal justice majors with procedures and methods for investigation of computer crimes and handling electronic evidence. 3.2 Baccalaureate Programs Of the four-year colleges researched, Defiance College was the one that seemed to offer the most in-depth training. Their program offers unique opportunities for students to study and gain hands-on experiences working in labs, and mock crime-scenes. The tools and techniques of digital forensics are also applied in situations where data is constantly in motion, such as while recognizing and responding to intrusions into a company s computer network, or when recovering data from small-scale digital devices such as cell phones and PDAs. Of all the evidence collecting procedures digital evidence collection is probably the most tedious process requiring the most discipline. It is important for the evidence to be precise for it to be admissible in court. Here the students learn how to preserve the integrity of digital evidence; extract live, static, and deleted data from various media; and thoroughly document and present their findings. In addition, students in this program develop a well rounded background which consist of general education, criminal justice, and computer technology fundamentals. At the completion of this program the students will graduate with two professional certificates in hand, a degree in Digital Forensic Science, and the practical experience gained from utilizing the internship program. [38] First, the students learn about the computers by preparing for the CompTIA A+ certification as an IT Technician. This certification is widely respected when seeking entry level information technology employment. Next the students begin learning about operating systems, security principles, and networking. Once the computer background is established the students begin learning the science of forensics and how it is applied the digital aspect of computers that are turned off, computers that are still running, computers communicating with one another, and small-scale digital devices such as cell phones, PDAs, smart phones, and other hybrid systems. In addition, the students learn the value and importance of having high ethics and personal integrity. After learning all of these skills sets the student have the opportunity to fine tune their skills through an internship with one of many different agencies performing forensics work. The different internships offered to students will be afforded to them in their senior year. These are opportunities for the students to perform hands-on training and for them to participate in actual cases that are in the process of being prosecuted. The courses offered at Defiance College in Digital Forensics are as follows: CompTIA A+ exam prep, Introduction to Computer and Digital Forensics, Computer Security Fundamentals,

Operating Systems, Computer Forensics and Security Ethics, Law Enforcement Field Experience, Seizure and Forensic Examination of Computer Systems, Advanced Topics in Computer Data Analysis and Recovery, Fundamentals of Computer Networks, Network Forensics, Intrusion Detection, National Certification, and Computer Forensic Field Experience and Seminar. 3.3 Graduate Programs When dealing with law enforcement, computer forensics scientist and investigators are considered to be highly educated and are therefore expected to have a bachelor s degree. Because of the limited programs available, obtaining a Master s degree in a field like computer science or criminal justice can be difficult. Once obtained, the master s degree can prove to be extremely beneficial in acquiring the top level jobs. Students in these programs will learn about cutting edge technologies, systems and concepts needed to succeed in computer forensics. Those with Master s degrees can also expect to receive a higher salary than those who only hold undergraduate degrees, and they may be promoted earlier and more frequently also. Each of the Graduate Degree programs differ slightly in the courses required to complete the degree. All of the programs researched required between 33 40 semester credits to complete the degree [11.25,26,32]. 3.4 Certificate Programs Computers and various digital devices are essential in the daily operations of organization. This high dependency of technology brings with it serious security challenges. Criminals make their living hacking into these businesses. In order to mitigate these risks there must be a way for IT professionals to obtain a comprehensive overview of digital forensics. Of the certificate programs we researched, Boston University s Graduate Certificate program was most appealing. This specialized graduate certificate program in digital forensics provides the students with comprehensive digital crime scene investigation knowledge. The program introduces students to forensic analysis policy and procedures, forensic analysis tools, data recovery, and investigation, among other topics. The program is unique in that it offers the course work on campus and via an online format called Emulation Live format (elive). This format allows the students to get a blend of both on campus classroom sessions as well as the online courses. elive courses include: Several traditional, face-to-face classroom sessions throughout the semester Online content that allows students to complete coursework and collaborate with classmates and instructors using Internet service Multimedia online technology utilizing virtual lectures, video conferencing, real-time collaborative sessions, correspondence, projects, and assignments Course materials and discussion threads that are accessible online 24 hours a day, 7 days a week 4. Uses for Degree Training The majority of Information Technology (IT) professionals in business and law enforcement agencies already have college degrees. They do not need to concern themselves with the programs leading to a two or four-year degree. In these cases a certificate program would be more advisable than a second college degree to perform computer forensics works. Now that the need for digital forensics experts is on the rise, students are encouraged to pursue a degree program of some sort. More businesses are looking for people with specialized skill sets. Digital forensics is a field that requires attention to detail in all aspects of the job. Digital forensics jobs are often found within lawenforcement, military, government intelligence agencies and private security or consulting companies. To get a more indepth idea of the types and number of jobs available you can search a popular job bank called Dice and it will return around 160 different jobs at the time of publication. If you do the same thing with Monster.com you will return around 210 different jobs. The numbers are not staggering, but they are on the rise. The different job titles varied from Computer Forensics Analyst to Vulnerability Security Research Engineer. Most of these jobs require a degree of at least two years of experience and others require a security clearance. Some of the jobs would accept equivalent knowledge and job experience in place of the required education, or just the opposite, an advanced degree in place of some of the required experience. 4.1 Salary Ranges It has been predicted by the Bureau of Labor Statistics that computer forensic investigators will remain in high demand for the next several years to come. The data provided covers both self employed forensic investigators as well as those employed by a firm. Generally speaking there will be more stability offered by a firm. Self employed investigators would enjoy more flexibility. Their salary could also be either substantially lower or higher than their counter parts working within a firm. When analyzing the data we found that digital forensics is usually combined or closely related to the criminal justice field. Employment of private detectives and investigators is expected to grow 22 percent over the 2011 21 decade, substantially faster than the average for all occupations [39]. As mentioned previously in this paper, the increased demand for private detectives and investigators is a direct result from the heightened security concerns, increased litigation, and the need to protect

confidential information and property of all kinds. Criminal activity on the internet includes spamming, identity theft, e- mail harassment, and more recently illegal downloading of copyrighted materials. The average salary reported in 2006 by the Bureau of Labor Statistics was $33,750 for private investigators[39]. Generally those in the field of computer forensics earn higher salaries. Median annual wages of salaried private detectives and investigators were $41,760 in May 2008. The middle 50 percent earned between $30,870 and $59,060. The lowest 10 percent earned less than $23,500, and the highest 10 percent earned more than $76,640. Wages of private detectives and investigators vary greatly by employer, specialty, and geographic area. [39] Depending on the casework, these professionals may also encounter irregular schedules and long overtime hours. Related Works There is currently ongoing research targeted at enhancing the way forensic courses are being taught. The Cyber Defense Trainer (CYDEST) [34] was developed by a group of researchers to incorporate the use of a virtualized training platform for computer forensics. Through the use of virtual machines, it provides tactical level exercises for network administrators, first responders, and digital forensics investigators. CYDEST is more than just a tool to create different scenarios, it also makes it possible for student s every action to be properly monitored and recorded for later viewing by their professors. CYDEST ultimately provides a level of realism and automation for the student while reducing the workload of an instructor [34]. In addition, there is other research that argues the best form of realism is the real thing. In their paper, Designing Computer Forensics courses using Case Studies to Enhance Computer Security Curricula [35], they argue that computer forensics courses should be designed and taught utilizing actual court cases that represent actual cyber crimes. They believe that by using actual cases the students will learn more and better understand the existing Cyber Laws. Students can perform their own forensic investigations and compare them with the actual case and learn from their mistakes or reinforce the positive. There is also research being done in the online arena. Wang, of Southern Polytechnic State University, has written a paper, Web-Based Interactive Courseware for Information Security, that talks about teaching such topics as security and forensics, utilizing Web-based multimedia and interactive courseware. The courseware is based on the use of a tool called Multimedia and Interactive Courseware Synthesizer, (MICS) [36]. MICS provides an interactive platform for students to learn. Security courses in general can be hard to master without student instructor interaction. MICS, on the other hand, provides an interactive learning environment that can also incorporate games to be used for instruction. The primary focus of MICS is to be able to develop a collection of hands-on labs that cover security, privacy, reliability and business integrity. 5. Conclusion In conclusion, it is evident that the need for computer forensics specialists is increasing. As this need continues to rise, it is imperative that educational opportunities increase as well. In addition, we must strive to stay on the cutting edge of the industry s demands. Digital forensics is a new and a constantly changing field which requires constant improvement and updating. There has to be more of an effort to consult practitioners in the field in order to continue developing relevant course material. There should also be a greater effort towards encouraging more organizations to offer internships in the field of digital forensics. In addition, we found that computer forensics is a growing multi-disciplinary field with increasing industry demand. Even with the lack of publicly recognized program standards to follow at this time, there are a number of good examples of two and four year programs [21, 22, 38]. At the master s level, [26, 32] serve as good examples. In comparison to other Scientific Fields of study, few programs exist at this time for computer forensics. Most of the programs are located in eastern portion of the United States with about 25% of the programs on the west coast. It is evident that there is plenty room for future growth with respect to the training programs offered in the Digital Forensics field 6. References [1] http://www.blueridge.edu/continuing/education/progra ms/cybercrimeinvest.htm. [2] http://cte.bridgew.edu/certifications/cdfe.cfm. [3] http://programs.bcit.ca/845cbtech. [4] http://web.bryant.edu. [5] http://www.bc3.edu/academics/technology/compforensi cs.htm. [6] http://canyoncollege.edu/lawenforce.edu.htm. [7] http://digitalforensics.champlain.edu. [8] http://a-s.clayton.edu/cj/curriculum. [9] http://www.curry.edu/academics/continuing+educatio n/certificate+programs/computer+crime_investigation s+and+computer+forensics.htm. [10] http://www.gwu.edu/~mastergw/programs/com_fraud. [11] http://www.icmschool.com/business-medical-careerscriminal-justice-cybercrime.html. [12] http://www.jjay.cuny.edu/programsgraduate/proggrad uateforensiccomputing.asp. [13] http://www.kennesaw.edu/coned/sci/index.htm [14] http://www.lwtc.ctc.edu/future/programs/list/cfor.htm. [15] http://www.lccc.edu/academics/credit/computerforensics-aas.asp.

[16] http://www.bus.oregonstate.edu/services/nti.htm. [17] http://www.polk.edu/instruct/wfd/ips/programscou rsedescriptions.htm. [18] http://www.southwest.cc.nc.us/acadprog/cct.htm [19] http://tech.spokanefalls.edu/infosys/default.asp?menu= 2&page=CertForensics. [20] http://www.spcollege.edu/webcentral/acad/compcrime. htm. [21] http://starkstate.edu/academics/it_tech/compnetadm in_secur.htm. [22] http://www.sunytccc.edu.academic/forensics/main.asp [23] http://www.graduate.ucf.edu/currentgradcatalog/conte nt/degrees/acad_prog_71.cfm. [24] http://www.newhaven.edu/psps/gradforensicscience.ht ml. [25] http://www.extension.washington.edu/ext/certificates/c pf/cpf_gen.asp. [26] http://www.ecii.edu/edu_eci.html. [27] http://www.lcsee.cemr.wvu.edu/forensics/. [28] http//wright.ccc.edu/department/forensics/index.asp [29] J. Heiser, and W. Kruse, What Exactly is Computer Forensics? [30] http://wwww.netsecurity.com/forensics/digital_comput er_forensics_services.html. [31] http://www.business.latech.edu/graduate/iac_courses/ci S522.pdf. [32] http://www.2009-2009.graduatecatalog.ucf.edu/programs/programs.aspx [33] http://www.bu.edu/met/programs/graduate/digitalforensics-certificate/ [34] Bruekner, S., Guaspari, D., Adelstein, F., & Weeks, J. (2008). Automated computer forensics training in a virtualized environment. Retrieved March 7, 2011, from Scince Direct: http://www.dfrws.org/2008/proceedings/p105- brueckner.pdf [35] Herath, A., Herath, S., Goonatilake, R., Herath, S., & Herath, j. (2007). Designing computer forensics courses using case studies to enhance computer security curricula. Journal of Computing Sciences in Colleges, 264-271. [36] Wang, A. J. (2005). Web-Based Interactive Courseware for Information Security. SIGITE '05 Proceedings of the 6th conference on Information technology education (pp. 199-204). New York: ACM. [37] http://www.ccc.edu/ [38] http://www.defiance.edu/page/major_digital_forensic_ Science.html [39] http://www.bls.gov/oco/ocos157.htm#outlook