Does Computer Forensics belong to Computer Science or Forensic

Does Computer Forensics belong to Computer Science or Forensic Science? R.E. Overill1 & R.I. Ferguson2 1

Department of Computer Science, King's College London, The Strand, London, WC2R 2LS [email protected] 2

Department of Computer and Information Sciences, University of Strathclyde, Livingstone Tower, Richmond Road, Glasgow, G1 1XH [email protected]

Abstract While computer forensics (or, more generally, cyber-forensics) is now beginning to establish itself as a (usually optional) topic in UK undergraduate and postgraduate Computer Science curricula, it has made little (if any) impact on UK Forensic Science programmes. In this paper we argue that computer forensics is a genuinely interdisciplinary topic which requires the integration of the scene-of-crime skills, chain-of-custody procedures, admissible evidence determination and expert witness presentation characteristic of forensic science with the digital investigative, analytical and interpretational techniques characteristic of computer science. We contend that a digital investigator also requires a working knowledge of criminal profiling in order to interpret the actions performed in terms of motivation and intention, and a sound knowledge of the criminal law applicable to digital systems. We provide quantitative evidence from assessments based on some twenty years teaching computer forensics to Masters students of Forensic Science, and four years teaching computer forensics to Masters students of Computer Science. We describe the distinct paradigm shifts that are required of forensic science students and computer science students in order to successfully internalise computer forensics concepts, and we conclude with proposals for modified curricula in Forensic Science and Computer Science which meet these desiderata.

1. Introduction This paper is a reflection upon the experience gained in the teaching of cyber-forensics to two Masters level courses. In one course, MSc Forensic Science at Kings College London, the students are primarily studying forensic science (FS) and undertake one class in cyberforensics (CF). The other, MSc Forensic Informatics at the University of Strathclyde, is primarily an advanced computer science (CS) course in which the students are exposed to the fundamentals of FS. Recent years have seen an increase in the number of courses in the UK which attempt to teach CF without the complimentary FS skills. We suggest that teaching the technical CS topic without the FS background is unwise and argue that this leaves the graduate of such a course with a critical gap in their skills and knowledge.

We provide data (derived from student assessments) that suggest both that FS students are capable of taking on board CS concepts and, vice-versa, that students with a CS background benefit from an exposure to FS fundamentals.

2. FS as an Inter-disciplinary Topic The traditional forensic scientist undertaking a Masters course in the UK will typically study a number of topics which can be considered fundamental to the discipline. These include evidentiary procedures, the legal framework of FS, investigative skills, expert witness presentation skills and maths (applied statistics/probability). For the remainder of the paper, we refer to these as “FS fundamentals”. A student who has studied a course with the word “forensic” in the title may reasonably expect to have acquired the skills and knowledge necessary to take to the witness

stand as an expert witness. In order to be credible in this situation, it insufficient to be a competent computer scientist – familiarity with those FS fundamentals is also a pre-requisite.

world, including scoping and freezing the crime scene and Locard’s Exchange Principle (LEP). Further details of the KCL FS programme can be found in (Overill, 2007).

Indeed, a competent barrister would expect to be able to discredit the evidence of a computer scientist expert witness who was not fully versed in all aspects of FS fundamentals.

3.2 MSc in Forensic Informatics University of Strathclyde MSc Forensic Informatics accepted its first cohort of students in 2004. It was introduced as a companion to the existing (~30 year old) MSc Forensic Science. The staff of FS are all court-going expert witnesses, thus MSc FI was proposed in response to the perceived need to “do something about the number of cases in which we we’re being asked to examine computers.”

3. Experience/History In order to compare and contrast experiences from the two institutions, a description of the courses and the typical profile of their students is necessary.

As the following section seeks to compare and contrast the performance of FI students (with a CS background) with traditional FS students in classes concerned with FS fundamentals, we first present some details of the two courses.

students

KCL students

FS

UoS students

FI

FS

Fig 1. Categories of Students in Study 3.1 MSc in Forensic Science King’s College London This advanced MSc programme has been running for 20 years, and currently has an annual intake of around 45 students. The forensic computing and cyber forensics topic comprises one module in the FS Masters programme, and is currently allocated 7-8 hours contact time. This is on a par with other topics such as fibres and fingerprints. In addition to two semesters of taught material and laboratory practice, students spend the third semester in a placement doing an appropriate project. The forensic computing and cyber forensics topic is roughly equally divided between these two themes. The former deals with the application of computational techniques to the traditional forensic scene of crime procedures (e.g. blood spatter analysis, fingerprint matching). The latter considers the application of traditional forensic science principles to cyber crime scenarios and the conceptual modifications required to address the digital

Both are level 11, 1 year, Masters degree courses split into 3 semesters. MSc FS recruits (primarily) graduates in chemistry and bioscience. The admission policy of MSc FI means that it is only open to graduates whose first degree includes “a significant component of computer science.” Semester One The two courses share an almost common first semester of 14 weeks during which students are introduced to fundamental FS topics including scene of crime skills/evidentiary procedure, investigative skills, the legal framework of FS and professional ethics. In addition, both cohorts of students are expected to undertake practical work which includes “traditional” forensic techniques such as fibre analysis, casting footprints, tool-marks analysis. Additionally the FI students study basic material on the examination of digital artefacts whilst the FS students study basic chemical/bio-chemical testing techniques (presumptive tests). At the end of the semester, a major (2 week) practical exercise (The Stepps Exercise) takes place during which the students are required to investigate crimes which have been simulated by staff. The FI students concentrate on the digital aspects of the investigation. This is followed by the students participating in a simulated trial in the role of expert witnesses. The semester is assessed by exam (50%) and by a practical mark based on the Stepps Exercise and Trial.

Semester Two During Semester Two, the FI and FS students follow separate curricula, with the FI students concentrating of the digital/CS material and the FS on more specialist FS topics, exploseives and firearms, drugs etc. Semester Three Semester three sees the students undertake a 14 week project placement with an external organisation which is subsequently assessed by dissertation.

4. Evidence from Student Performance In this section we seek to show that students of FS are perfectly capable of tackling CS and that CS students are capable of absorbing the fundamentals of FS and synthesising them with their CS skills to perform forensic analysis in a forensic context. In the study of the KCL student performance we have compared the performance of the same body of FS students over cyber forensics (CF) and forensic computing (FC) topics. In the UoS study, we have compared the performance of FS and FI students over the portion of the course that seeks to teach fundamental FS, basic forensic techniques and the application thereof in a investigation/courtroom setting (i.e. semester one). 4.1 King’s College London In this study, we have plotted the average marks of FS students who elected to answer the annual forensic computing and cyber forensics examination question. Data is only available from 1996 to 2007 inclusive, and the results are plotted separately for the forensic computing (FC) and for the cyber forensics (CF) questions (Fig. 2). Note that in 2001 no student attempted the FC question that was set. The overall average mark for answers to CF questions is 51.1% while for FC questions the overall average mark is 50.0%. This indicates that FS students cope equally with the FC and CF material in the curriculum, but at a level that represents no more than a pass.

Fig.2. Average marks of KCL FS students 1996-2007 4.2 University of Strathclyde This section seeks to compare and contrast the performance of FI students with “pure” FS students in classes concerned with FS fundamentals. In this study, we have plotted the average marks for semester one for the FS and FI cohort over the past few years (Fig. 3). The marks represent the student performance on the investigation exercise and court appearance. Assessment criteria for these are such that the marks represent how well students can perform their particular flavour of FS in a legal context not just how well they stood up and presented.

Fig 3. Average semester one marks of FI and FS students 2001-2007 The marks show that the performance of the FI students is at a comparable level to the FS students. This indicates that by teaching the FS fundamentals alongside the CS, the course produces a computer scientist capable of operating in a forensic context at least as well as a traditional FS. What this data cannot show is how well the FI students would be capable of performing had they not been taught FS fundamentals along with the CS skills. However, the equivalent performance of the two groups, along with the fact that it would be inconceivable that FS students wouldn’t be taught the fundamentals, gives some indication that the co-existence of

FS fundamentals on the FI curriculum is of benefit.

5. Reflections on Experience 5.1 King’s College London 20 years of teaching forensic computing and cyber forensics to FS students has seen a continuous evolution of the curriculum, driven mainly by new developments in both themes. Initially only stand-alone computer forensics was covered, but as Internet related crime increased from the mid-1990s onwards it was necessary to broaden this into cyber forensics and to include behavioural profiling. Similarly and in parallel, forensic computing has evolved to incorporate such topics as automated lip reading, blood spatter and bullet trajectory analysis, and virtual reality crime scene reconstruction as these technologies were developed. It is anticipated that the curriculum will continue to evolve in this manner for the foreseeable future. 5.2 University of Strathclyde Four years of operating the course have shown that CS students do at least as well as the FS on the FS portion of the course. Feedback from the FI students has however lead to us altering the balance of material in the semesters and in subsequent cohorts, more CS material will be introduced in semester one. Timetable constraints have prevented this until now.

6. Conclusions The main conclusion of the study is that forensic informatics (or cyber forensics) is a separate discipline from both computer science and forensic science. It inherits material from both disciplines and neither should be neglected at the expense of the other. So, does Computer Forensics belong to Computer Science or Forensic Science? Our answer is emphatically that it belongs to both.

References Overill (2007): R E Overill, “Integrating Cyber Forensics into a Forensic Science Masters Programme” in Proceedings of the 1st International Conference on Cybercrime Forensics Education and Training (CFET 2007), 6-7 September 2007, Canterbury, UK, CD-ROM ISBN 1899253-041.