Second International Workshop on Digital Forensics and Incident

Second International Workshop on Digital Forensics and Incident Analysis Samos, Greece 27 – 28 August 2007 Cybercrime Investigation Training and Specialist Education for the European Union Abhaya Induruwa Department of Computing 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007

Cybercrime l “a crime committed using a computer and the Internet to steal a person’s identity or sell contraband or stalk victims or disrupt operations with malevolent programs” l The involvement of the Internet brings the global dimension! 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 2

The Situation l “of around 140, 000 police officers in the UK, barely 1, 000 have been trained to handle digital evidence at the basic level and fewer than 250 of them are currently with Computer Crime Units or have higher level forensic skills” 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 3

Presentation l Falcone Project l AGIS Pilot – typical European collaboration l Training at the degree level l Canterbury Christ Church University’s involvement l European Compliance – Bologna Agreement l UK’s position 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 4

Falcone Project l Titled: “Training: Cybercrime Investigation – Building a Platform for the Future” (2001) l Examined: cybercrime investigation training provision throughout EU l Found: Ø Approaches inconsistent and fragmentary Ø No mutual recognition of training standards Ø No academic recognition 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 5

Convention on Cybercrime in particular Article 35 of the Council of Europe “Each Party shall: Ø designate a point of contact available on a twenty-four hour, seven-day-a-week basis, Ø in order to ensure the provision of immediate assistance for the purpose of investigations Ø or proceedings concerning criminal offences related to computer systems and data, Ø or for the collection of evidence in electronic form of a criminal offence. ” 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 6

Falcone: Recommendations l European approach to cybercrime forensics training l Academic accreditation l More co-operation between law enforcement agencies and academic institutions to bring: Ø Professional Recognition Ø Standardisation across member states l Internationally recognised qualifications would ease law enforcement agency co-operation l Monitoring and administration should be carried out by a central body, eg: Europol or CEPOL 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 7

Falcone: Recommendations Four levels of training in Computer Forensics, Internet and Network investigation: l Basic/Certificate Course; Ø To cover broad range of material l Intermediate/Diploma Course; Ø To reflect the requirements of participants l Advanced/Degree Course; Ø To cover subject material in more depth and l Continuing Professional Development Ø To help practitioners to keep their skills current 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 8

AGIS 2003 and 2004 l Titled: “Cybercrime Investigation – developing an international training programme for the future” l Picked up: where Falcone left off l Produced and piloted: materials for the Basic/Certificate Course in Forensic Computing, Internet and Network Investigations 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 9

AGIS 2003 and 2004: Recommendations l Determine criteria for membership of a Network of Cybercrime Investigation Training Centres l Set up a centralised repository for course materials for ease of course dissemination l Set up a mechanism to keep courses up-to-date, reviewed and developed l Encourage a central body such as CEPOL or Europol to establish a certificate in cybercrime investigation and a register for cybercrime investigators l Encourage Interpol to deliver the training produced by this project to promote standardisation of cybercrime around the world. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 10

AGIS 2005 l Produced and piloted materials for the Intermediate/Diploma Course in Forensic Computing, Internet and Network Investigations: ØApplied NTFS Forensics – Aug 2006 ØInternet Investigations – Oct 2006 ØNetwork Investigations – Nov 2006 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 11

AGIS 2006 l Again produced and piloted materials for the Intermediate/Diploma Course in Forensic Computing, Internet and Network Investigations ØLinux as a Forensic Tool ØMobile Phone Forensics ØWireless and Vo. IP Forensics 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 12

AGIS: Summary l Produced materials to be used by law enforcement agencies around the world but particularly the EU l Pilot the course Ø to evaluate and improve the materials l Accredited by University College Dublin and Canterbury Christ Church University l Materials set to be administered and kept up-to-date by Europol l Approved list of trainers and training centres to be set up by Europol l Project to continue under funding from EU ISEC Programme 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 13

Linux as a Forensic Tool Pilot – March 2007 l Reviewed the existing training material from Interpol, UK and Beligium; l Considered including pre-read material so that a true intermediate course could be offered; l Discussed having a test at the beginning to ensure that the students have grasped the preread material; l Discarded this idea as individual circumstances of students could prevent them from completing the pre-read material; l Decided that this will be covered very quickly at the outset. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 14

Linux as a Forensic Tool Pilot – March 2007 l Recommended having a training room with Ø A computer for each student Ø At least two computers for trainers one with Windows XP) Ø Two projectors Ø Network and Internet connectivity Ø 1 GB USB drive each for trainers and students Ø Access to BIOS settings Ø Run Ubuntu and FCCU Linux 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 15

Linux as a Forensic Tool Pilot – March 2007 l Why Ubuntu Linux? Ø Ubuntu is ideal to introduce basics and build confidence Ø Bases on Debian, but is much more user friendly than Debian or Slackware Ø Interpol’s course also uses Ubuntu Ø Slackware – Grundy discusses this distribution in slightly more detail Ø Debian – Knoppix live CD is based on this distribution Ø Day 3 – 4 is based on the Belgiun course that uses a live CD developed by the Federal Computer Crime Unit (FCCU) 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 16

Linux as a Forensic Tool Pilot Delivery – March 2007 l 5 days in total l Days 1 -2 Ø Introduce Linux – Interpol’s course based – use Ubuntu l Days 3 -4 Ø Based on Belgium’s course – uses FCCU Unix – avoids having to develop too much new material l Day 5 Ø Review of the course and competency test 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 17

Linux as a Forensic Tool Pilot – Quality Assurance l NPIA l University College Dublin l Canterbury Christ Church University l Post evaluation meeting in September 2007 l Final report to be submitted in December 2007. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 18

Training at the Degree Level l Falcone 3 rd Recommendation where ØCanterbury Christ Church University ØUniversity of Glamorgan ØUniversity College Dublin, etc come into the picture. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 19

Canterbury Christ Church University l MSc in Cybercrime Forensics Ø Closed programme; Ø Started in October 2005; Ø Innovative partnership with NPIA High Tech Crime Training Unit – Wyboston; Ø Two intakes so far. l BSc in Forensic Computing Ø First intake in October 2007; Ø Open to any student. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 20

Canterbury Christ Church University l MSc Cybercrime Forensics Structured to impart knowledge and test competencies in core areas ØData Recovery and Analysis Skills OR ØNetwork Investigation Skills AND ØEthical, Legal and Professional Considerations ØCase Studies in Cybercrime Forensics ØCryptography 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 21

Canterbury Christ Church University l MSc Cybercrime Forensics Optional areas: Ø Applied NTFS Forensics Ø Advanced Internet Forensics Traces Ø High Tech Crime Scene Searching Ø Core Skills in Mobile Forensics Ø Identifying and Tracing the Electronic Suspect Ø High Tech Crime Manager’s Workshop Ø Covert Internet Investigation. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 22

Canterbury Christ Church University l Based on the QAA’s 180 credit model; l Uses NPIA High Tech Crime Training Unit’s training modules as pre-qualifiers l University’s well established APEL/APCL procedures to l Accredit prior experiential and certified training l Meets Falcone Recommendations: Ø Achieve Academic Accreditation Ø Achieve Professional Recognition Ø CPD to keep practitioners’ skills up-to-date. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 23

Canterbury Christ Church University l BSc in Forensic Computing Ø Entry level programme; Aim is to: Ø Equip students with theory and practical skills necessary to assist in the Ø Examination; Ø Reconstruction; Ø Detection; Ø Investigation; of crime scenes where the use of Ø IT equipment and Computers are involved. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 24

Canterbury Christ Church University l BSc in Forensic Computing Expected employment: Ø In a range of career pathways including: Ø Police force; Ø Associated supporting roles; Ø General roles involving IT equipment and Computers; Ø Go into further study leading Masters or even Ph. D degrees. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 25

European Compliance l Falcone, and then Agis, were European initiatives; l Tried to develop training material for cross border use; l At Basic and Intermediate Levels l In order to achieve consistent professional standards; l Accreditation of qualifications across Europe. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 26

European Compliance Bologna Agreement (1999) l Signed by Education Ministers of 29 Member countries ØTo create a European Higher Education Area (EHEA) by 2010; ØTo achieve a comparable, compatible and coherent system for Europe; adhering to Europe wide academic and quality assurance standards. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 27

European Compliance Bologna Agreement (1999) l Key features: ØEstablishment of a common system of credits; ØPromotion of the mobility of students as well as academic staff; ØPromotion of European co-orporation in quality assurance; ØParticipation in life long learning. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 28

European Compliance Bologna Agreement (1999) Comprises three cycles of higher education qualifications matching roughly to the following UK qualifications: Ø BSc; Ø MSc; Ø Ph. D. l Proposes a shift from teacher based to student based course descriptors and corresponding learning outcomes (LOs); l Defines ECTS (European Credit Transfer and accumulation System) Credits – to allow cross border accreditation and standardisation; l Generally accepted that the UK BSc and MSc degrees are fully compatible with the First and Second Cycles. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 29

European Compliance Bologna Agreement l Follow up conferences: Ø Prague (2001); Ø Berlin (2003); Ø Bergen (2005); Ø London (2007) – expected to adopt a strategy on: ØHow to reach other continents; ØCreate a Register of European Quality Assurance Agencies. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 30

European Compliance UK’s Position – Future Proofing l UK has a well established Quality Assurance System for Higher Education; l The MSc in Cybercrime Forensics of the CCCU has been developed strictly according to QAA structures; l In the UK, European programmes such as Erasmus, Tempus and Socrates are well established – to provide smooth accreditation of academic achievements; l Students with UK qualifications will be able to freely and transparently move across European borders. l The acceptance of ECTS will allow students from European Higher Education institutions to freely and transparently select modules offered by the UK higher educational institutions. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 31

Closing Note … l Canterbury Christ Church University is hosting CFET 2007 – the 1 st International Conference on Cybercrime Forensics Education and Training l Dates: 6 – 7 September 2007 All are welcome! The venue – Canterbury Christ Church University with the Canterbury Cathedral in the background. 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 32

Thank You! 2 nd International Workshop on DFIA - Samos, Greece; 27 August 2007 33