Integrating Cyber-Forensics into a Forensic Science Masters Programme

This paper traces the development of the cyber-forensics content of the MSc in Forensic Science at King’s College London. It identifies the key interfaces between cyber-forensics and traditional forensic science, and analyses the rationale for the selection and development of the cyber-forensics curriculum within that context. The complementary issue of defining a forensic computing curriculum is also addressed. Finally it attempts to evaluate the extent to which the integration of cyber-forensics into the Forensic Science MSc programme has been successfully accomplished, using anonymized student feedback data and examination statistics collected over a period of more than a decade. 1.0 Introduction and Background In 1987 King’s College London (KCL) launched what was at that time the only university programme in Forensic Science in England. Initially it was co-ordinated by the Department of Biochemistry and more recently by the Department of Forensic Science and Drug Monitoring. This modular, interdisciplinary MSc programme is supported by teaching contributions from a wide range of academic departments within KCL, from other institutions within the University of London federation, and from external organisations such as the Metropolitan Police Forensic Science Service. From the outset the Department of Computer Science was invited to contribute to the MSc in Forensic Science and over the past twenty years its contribution has evolved considerably in both content and extent. However, the present author has retained the responsibility for defining, delivering and examining the computing curriculum within the Masters programme throughout its existence. The number of graduate students recruited to the MSc in Forensic Science has varied from an initial 8 in 1987-8 to a maximum of 44 in 2005-6. The Bachelors level background of the student intake is typically the Biological sciences, Biochemistry or Chemistry. As such the students generally possess the basic ICT literacy and competency that would be expected from a modern UK Bachelors programme in science. Whilst the majority of the students are from the UK, mainland EU, Hong Kong, the West Indies, Canada and the USA also feature significantly in the intake statistics. As a modular, interdisciplinary programme the MSc in Forensic Science is divided into topics taught by lecturers possessing the appropriate expertise, and each topic is allocated a number of contact hours appropriate to the intrinsic nature of the topic. Thus, for example, fibres and fingerprints are both allocated 6 contact hours, while computing is currently allocated 7-8 contact hours. The advantage of this arrangement is that, while cyber-forensics is not regarded as an integral part of the discipline of forensic science by the Forensic Science Society [1], the MSc students nevertheless encounter this topic on exactly the same footing as every other topic covered in the taught programme. Exceptionally, a student can also opt to do their individual summer project / dissertation in this area. 2.0 Developing a Cyber-Forensics Curriculum for Forensic Scientists From the outset it was apparent that two distinct themes would compete for the contact time allocated namely forensic computing (FC) and cyber-forensics (CF). To clarify this distinction, in the forensic computing theme students learn how computational techniques support and enhance the day-to-day work of the forensic scientist, while in the cyber-forensics theme students learn how the principles of forensic science are applied to the investigation of digital crimes. Initially, forensic computing was given more emphasis than cyber-forensics (roughly 5/8) due to the relatively under-developed state of cyber-forensics in the late 1980s. However during the midto late 1990s both themes were accorded approximately equal weight. At the present time the balance has shifted slightly in favour of cyberforensics (roughly 5/8) due to recent technical advances in the area and the availability of teaching aids such as the EnCase Forensic demonstrators [2]. At this point it may be helpful to outline the main components of each theme as currently delivered: Forensic Computing – • crime scene reconstruction, specifically the immersive environment Hydra system [3,4] • blood spatter analysis, specifically the DelftTech Visual Sensor Fusion 3D Blood Pattern Analysis module [5] • facial reconstruction, specifically the 3D graphics systems by Robin Richards and Peter Vanezis [6] • computation and matching of biometrics, specifically fingerprints and iris scans using NAFIS [7] and IrisCode [8] respectively • construction and matching of offender profiles, specifically the FBI’s VICAP [9] and the Home Office CATCHEM [10] systems Cyber-Forensics – • scoping and freezing the crime scene • bit-wise imaging of memory devices • searching for unerased data in temp files, swap space, spool areas, slack space, etc • scanning for the presence of Trojans, Remote Administration Tools, root-kits, etc • checking system logs / audit trails for evidence of malfeasance • performing Internet trace-backs via ISP log-files • performing cyber-profiling • legal issues, specifically the UK Computer Misuse Act (1990) as modified by the Police and Justice Act (2006) 3.0 Cyber-Forensics: Points of Similarity & Difference An important issue to be addressed at this juncture is the interrelationship between cyber-forensics and traditional forensic science topics. Cyber-forensics, in common with forensic science, adheres to the forensic principles of securing the crime scene, gathering, preserving and analysing the evidence, and (if required) presenting the evidence in a court of law as an expert witness. Thus students of forensic science can be expected to be familiar with the concepts of ‘bag-and-tag’, chain of custody, admissible evidence, etc. The forensic process is predicated upon Locard’s exchange principle, first enunciated by Edmond Locard in 1910, which is usually summarised as “every contact involves an exchange of material” or “every contact leaves a trace” [11]. In the case of traditional forensic science the physical exchange process may occur at the atomic, molecular, cellular or macroscopic sample level and its detection is achieved by performing specific analytical physicochemical tests. With cyber-forensics, on the other hand, when the internal state of a digital computer or network is altered by the intervention of an unauthorised agent, be it human, software or hardware, the mathematical-logical tests required to detect and interpret this state change are of an entirely different category. An important question for discussion with forensic science students is whether Locard’s exchange principle applies strictly in cyberspace – or, conversely, does a cyber-crime potentially constitute ‘the perfect crime’? A second issue that frequently arises from such discussions is precisely what constitutes the suspected cyber-crime scene, particularly if, as is commonly the case, the computer system or network under investigation is (either directly or indirectly) connected to the Internet? Springing directly from this consideration is a third issue relating to freezing the cyber-crime scene. It is apparent that quite different procedures must be adopted to preserve evidence at a cyber-crime scene where (a) a computer is found unattended and powered-off, (b) the computer is unattended but powered-on and possibly online, and (c) the computer is attended, powered-on and possibly online. Scenario (a) most closely resembles the crime scene of traditional forensic science, while scenario (b) requires an assessment of the potential for information loss as a result of either abruptly disconnecting the power supply or alternatively shutting down the computer. Scenario (c) leads naturally to a discussion of hot-key data erasure, and thence to the number of data erasure passes required to yield an insignificant probability of data recovery [12]. Another area of similarity between cyber-forensics and traditional forensic science is that of offender profiling. It has been long been recognised that serial criminals tend to develop an individual MO (modus operandi) which can be used to identify and distinguish their crimes from evidence gathered at the crime scene. However Clifford Stoll’s use of a simple form of behavioural profiling in 1986 marked the first attempt to apply these principles to the activities of a cyber-criminal (Markus Hess aka Jaeger) leading ultimately to his arrest and conviction [13,14]. Cyberprofiling has subsequently evolved into a relatively sophisticated discipline comparable with traditional offender profiling, as judged by the number of distinct behavioural attributes that are taken into consideration. Typical useful metrics include: • which files / directories / databases are searched • what keywords / key-phrases are searched for • how frequently email / other users’ activity is monitored • the elapsed time of a typical online session • the number of systems scanned • the system / network scanning tools used • which backdoors / Trojans / root-kits are exploited 4.0 Analysis and Evaluation Although the MSc in Forensic Science programme was launched in 1987/8 it is unfortunate that complete examination question marking data are available only from 1995/6 onwards and that student assessment scores are available only from 2000/1 onwards. In each academic year (AY) one non-compulsory examination question from the forensic computing / cyber-forensics (FC/CF) themes is set. The number of students electing to answer this question (n), together with the mean (mean), minimum (min) and minimum (max) percentage marks obtained, are given in Table 1 for each academic year, together with the size of the student cohort (size).