This is the Title

3 downloads 82653 Views 17KB Size Report
Paradigm for Training Computer Forensic Examiners ... technology (and conversely, computer crime) has created an extremely long waiting list for many courses ... question addresses the core skills and abilities that a basic computer forensic ...
Design and Development of a Distance Education Paradigm for Training Computer Forensic Examiners David T. Lang Nova Southeastern University Abstract: This paper introduces a work in progress to design and develop distance training for computer forensics examiners. Computer forensic analysis consists of a thorough and painstaking examination of digital evidence in all formats. This evidence may take the form of digitally stored documents, photographs, sounds, motion pictures, spreadsheets, databases, Internet history files, or any other recording in digital form. The computer forensics examiner must be able to retrieve these documents or recordings after they have been deleted, fragmented, and/or encrypted. This requires the examiner to have a diverse set of both technical and investigative skills. Currently, the only available reliable sources for computer forensic training are in-residence courses provided by the U.S. Government and a few commercial companies. However, the rapid spread of computer technology (and conversely, computer crime) has created an extremely long waiting list for many courses with some students being refused admission altogether. This study will focus on two major questions of relevance to the training of computer forensic examiners by distance. The first goal is to answer the basic question of what are the specific education and training objectives for computer forensic examiners? This question addresses the core skills and abilities that a basic computer forensic examiner must possess. The second phase of this study will concentrate on answering the question of what online technology can be applied to computer forensic education and training to remedy the current shortfall of trained computer forensic examiners? This question addresses the specific network and computer based training technology that can be reasonably applied to achieve mastery of the core educational and training requirements for the basic computer forensic examiner.

Project Background Although the area of computer forensics was investigated as a subcategory of computer crime studies a decade ago under a U.S. Department of Justice contract, very little has been done to refine the concepts and structures of computer forensics during the past ten years. Some of the early reports concentrated on the points of computer crime definition and legal statutes for prosecution (Parker, Smith, Turner, & Sherizan, 1989) but neatly sidestepped the technical issues surrounding the digital evidence collection procedures that came to be known as computer forensics. Another study contracted by the U.S. Department of Justice went further by identifying police organizations that had dedicated computer crime units but still stopped short of explaining what training was provided and why (McEwen, Fester, & Nugent, 1989). Upon review of the report it becomes apparent that most computer crime officers at the state and local level were self taught with the exception of a very few who are able to get computer crime course training quotas at the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. In still another contracted report from the same time period, the impact of computer crime is reviewed along with case studies, crime scene procedures, and investigative management but, again, the issue of training was sidestepped (Conly, 1989). The same authors that provided these reports also provided an article in NIJ Reports, the Journal of the National Institute of Justice, that was replete with case studies but without training recommendations (Conly & McEwen, 1990).

Project Description Currently, computer forensic training is provided by only a handful of organizations and is reserved mostly for police officers and large corporate security professionals. Moreover, the basic training is provided only once or twice a year in limited attendance resident schools with tuition ranging from $695 to over $2,200 per student plus the expense of meals, lodging and transportation. Due to the exponential growth of computer technology and the increasing rate of change in that technology (the degree of change is increasing as the time span required for the change decreases), the technology is rapidly outpacing the ability of law enforcement and government agencies to provide qualified computer forensic examiners. As an additional challenge, there is currently almost no research available upon which to base training course design or national training standards. Consequently, training tends to be very hit and miss with each police department, government agency, or corporate entity devising their own programs in an educational vacuum. This ad hoc training

structure further impedes the forensic investigative process by not providing a common training background for interagency cooperation. The National Cybercrime Training Partnership is currently attempting to draw police, corporate, and educational partners together to formulate a national training standard for computer forensics. However, this effort is also impeded by a lack of baseline information relating to the computer forensic training challenge. To date no research has been compiled to document the who, what, where, how, and why of the various computer forensic training programs. This leaves the current standards committee in the position of compiling standards without the benefit of specifications. Defining Specific Education and Training Objectives for Computer Forensic Examiners By examining the training plans, position descriptions and employee backgrounds of major government and civilian computer forensic establishments and distilling the basic competencies, this research will identify computer forensic core skills and abilities. These skills and abilities will then be translated into an event-response list. Using the event-response list, event and primitive diagrams will be constructed to identify the core tasks vital to the computer forensics process. Appropriate education and training will then be identified to support the core tasks. As a validation step, the final computer forensic training diagram will be submitted to the computer forensic community for critique. Application of Online Technology Once all training and education requirements have been identified and diagrammed, appropriate online technology will be identified to provide a distance learning environment that is accessible as well as technically and educationally sound. Initial research has shown that virtual environments and intelligent pedagogical agents may play a significant role in this phase of the project. Overcoming Traditional Barriers to Computer Forensics Training Research Barriers to the proposed research have traditionally centered on a lack of integrated educational and technical expertise within the computer forensic field. Traditionally, computer forensic training has been developed and implemented by law enforcement personnel on an ad hoc basis. This has created an environment where the accepted educational and training standards and methods are seldom examined or validated from an educational perspective. An additional issue that has traditionally served to impede a study of this nature is that of protecting law enforcement sources and methods involved in computer forensics examinations from becoming public. This research project proposes to avoid this controversy by examining only forensic education and training requirements and methods, not specific forensic tools and procedures.

References Conly, C. H. (1989). Organizing for computer crime investigation and prosecution. Washington, DC: National Institute of Justice. Conly, C. H., & McEwen, J. T. (1990). Computer crime: The new crime scene. NIJ Reports, January/February (218), 2-7. McEwen, J. T., Fester, D., & Nugent, H. (1989). Dedicated computer crime units. Washington, DC: National Institute of Justice. Parker, D. B., Smith, D. C., Turner, G. W., & Sherizan, S. (1989). Computer crime: Criminal justice resource manual. Washington, DC: National Institute of Justice.