Integrating Cyber-Forensics into a Forensic Science Masters Programme
Richard E Overill
Department of Computer Science, King’s College London, Strand,
London WC2R 2LS, U.K.
Abstract
This paper traces the development of the cyber-forensics content of the MSc in Forensic Science at King’s College London. It identifies the key interfaces between cyber-forensics and traditional forensic science, and analyses the rationale for the selection and development of the cyber-forensics curriculum within that context. The complementary issue of defining a forensic computing curriculum is also addressed. Finally it attempts to evaluate the extent to which the integration of cyber-forensics into the Forensic Science MSc programme has been successfully accomplished, using anonymized student feedback data and examination statistics collected over a period of more than a decade.
1.0 Introduction and Background
In 1987 King’s College London (KCL) launched what was at that time the only university programme in Forensic Science in England. Initially it was co-ordinated by the Department of Biochemistry and more recently by the Department of Forensic Science and Drug Monitoring. This modular, interdisciplinary MSc programme is supported by teaching contributions from a wide range of academic departments within KCL, from other institutions within the University of London federation, and from external organisations such as the Metropolitan Police Forensic Science Service.
From the outset the Department of Computer Science was invited to contribute to the MSc in Forensic Science and over the past twenty years its contribution has evolved considerably in both content and extent. However, the present author has retained the responsibility for defining, delivering and examining the computing curriculum within the Masters programme throughout its existence.
The number of graduate students recruited to the MSc in Forensic Science has varied from an initial 8 in 1987-8 to a maximum of 44 in 2005-6. The Bachelors level background of the student intake is typically the Biological sciences, Biochemistry or Chemistry. As such the students generally possess the basic ICT literacy and competency that would be expected from a modern UK Bachelors programme in science. Whilst the majority of the students are from the UK, mainland EU, Hong Kong, the West Indies, Canada and the USA also feature significantly in the intake statistics.
As a modular, interdisciplinary programme the MSc in Forensic Science is divided into topics taught by lecturers possessing the appropriate expertise, and each topic is allocated a number of contact hours appropriate to the intrinsic nature of the topic. Thus, for example, fibres and fingerprints are both allocated 6 contact hours, while computing is currently allocated 7-8 contact hours. The advantage of this arrangement is that, while cyber-forensics is not regarded as an integral part of the discipline of forensic science by the Forensic Science Society [1], the MSc students nevertheless encounter this topic on exactly the same footing as every other topic covered in the taught programme. Exceptionally, a student can also opt to do their individual summer project / dissertation in this area.
2.0 Developing a Cyber-Forensics Curriculum for Forensic Scientists
From the outset it was apparent that two distinct themes would compete for the contact time allocated namely forensic computing (FC) and cyber-forensics (CF). To clarify this distinction, in the forensic computing theme students learn how computational techniques support and enhance the day-to-day work of the forensic scientist, while in the cyber-forensics theme students learn how the principles of forensic science are applied to the investigation of digital crimes. Initially, forensic computing was given more emphasis than cyber-forensics (roughly 5/8) due to the relatively under-developed state of cyber-forensics in the late 1980s. However during the mid- to late 1990s both themes were accorded approximately equal weight. At the present time the balance has shifted slightly in favour of cyber-forensics (roughly 5/8) due to recent technical advances in the area and the availability of teaching aids such as the EnCase Forensic demonstrators [2].
At this point it may be helpful to outline the main components of each theme as currently delivered:
Forensic Computing –
crime scene reconstruction, specifically the immersive environment Hydra system [3,4]
blood spatter analysis, specifically the DelftTech Visual Sensor Fusion 3D Blood Pattern Analysis module [5]
facial reconstruction, specifically the 3D graphics systems by Robin Richards and Peter Vanezis [6]
computation and matching of biometrics, specifically fingerprints and iris scans using NAFIS [7] and IrisCode [8] respectively
construction and matching of offender profiles, specifically the FBI’s VICAP [9] and the Home Office CATCHEM [10] systems
Cyber-Forensics –
- scoping and freezing the crime scene
- bit-wise imaging of memory devices
- searching for unerased data in temp files, swap space, spool areas, slack space, etc
- scanning for the presence of Trojans, Remote Administration Tools, root-kits, etc
- checking system logs / audit trails for evidence of malfeasance
- performing Internet trace-backs via ISP log-files
- performing cyber-profiling
- legal issues, specifically the UK Computer Misuse Act (1990) as modified by the Police and Justice Act (2006)
3.0 Cyber-Forensics: Points of Similarity & Difference
An important issue to be addressed at this juncture is the interrelationship between cyber-forensics and traditional forensic science topics. Cyber-forensics, in common with forensic science, adheres to the forensic principles of securing the crime scene, gathering, preserving and analysing the evidence, and (if required) presenting the evidence in a court of law as an expert witness. Thus students of forensic science can be expected to be familiar with the concepts of ‘bag-and-tag’, chain of custody, admissible evidence, etc. The forensic process is predicated upon Locard’s exchange principle, first enunciated by Edmond Locard in 1910, which is usually summarised as “every contact involves an exchange of material” or “every contact leaves a trace” [11]. In the case of traditional forensic science the physical exchange process may occur at the atomic, molecular, cellular or macroscopic sample level and its detection is achieved by performing specific analytical physicochemical tests. With cyber-forensics, on the other hand, when the internal state of a digital computer or network is altered by the intervention of an unauthorised agent, be it human, software or hardware, the mathematical-logical tests required to detect and interpret this state change are of an entirely different category.
An important question for discussion with forensic science students is whether Locard’s exchange principle applies strictly in cyberspace – or, conversely, does a cyber-crime potentially constitute ‘the perfect crime’? A second issue that frequently arises from such discussions is precisely what constitutes the suspected cyber-crime scene, particularly if, as is commonly the case, the computer system or network under investigation is (either directly or indirectly) connected to the Internet? Springing directly from this consideration is a third issue relating to freezing the cyber-crime scene. It is apparent that quite different procedures must be adopted to preserve evidence at a cyber-crime scene where (a) a computer is found unattended and powered-off, (b) the computer is unattended but powered-on and possibly online, and (c) the computer is attended, powered-on and possibly online. Scenario (a) most closely resembles the crime scene of traditional forensic science, while scenario (b) requires an assessment of the potential for information loss as a result of either abruptly disconnecting the power supply or alternatively shutting down the computer. Scenario (c) leads naturally to a discussion of hot-key data erasure, and thence to the number of data erasure passes required to yield an insignificant probability of data recovery [12].
Another area of similarity between cyber-forensics and traditional forensic science is that of offender profiling. It has been long been recognised that serial criminals tend to develop an individual MO (modus operandi) whichcan be used to identify and distinguish their crimes from evidence gathered at the crime scene. However Clifford Stoll’s use of a simple form of behavioural profiling in 1986 marked the first attempt to apply these principles to the activities of a cyber-criminal (Markus Hess aka Jaeger) leading ultimately to his arrest and conviction [13,14]. Cyber-profiling has subsequently evolved into a relatively sophisticated discipline comparable with traditional offender profiling, as judged by the number of distinct behavioural attributes that are taken into consideration. Typical useful metrics include:
- which files / directories / databases are searched
- what keywords / key-phrases are searched for
- how frequently email / other users’ activity is monitored
- the elapsed time of a typical online session
- the number of systems scanned
- the system / network scanning tools used
- which backdoors / Trojans / root-kits are exploited
4.0 Analysis and Evaluation
Although the MSc in Forensic Science programme was launched in 1987/8 it is unfortunate that complete examination question marking data are available only from 1995/6 onwards and that student assessment scores are available only from 2000/1 onwards.
In each academic year (AY) one non-compulsory examination question from the forensic computing / cyber-forensics (FC/CF) themes is set. The number of students electing to answer this question (n), together with the mean (mean), minimum (min) and minimum (max) percentage marks obtained, are given in Table 1 for each academic year, together with the size of the student cohort (size).
Over the past decade or more a roughly equal balance has been intentionally maintained between examination questions from the forensic computing and the cyber-forensics themes. The data in Table 1 appear to show that the students answered the cyber-forensics (CF) questions with a slightly higher overall average (50.5%) than the forensic computing (FC) questions (48.5%). This is both somewhat surprising and rather gratifying as forensic scientists might be expected to find some of the technical aspects of CF quite challenging. A remarkable feature of the data is the dramatic fluctuation in the proportion of the student cohort that elected to answer the FC/CF topic question in the successive years 1999-2000 (100%) and 2000-1 (0%). This is most plausibly explained as arising from a period of 4 successive years in which a CF question was set, followed by a FC question the next year. The students may have begun to tacitly assume that the FC material was less likely to be examined than the CF material.
AY / 95/6 / 96/7 / 97/8 / 98/9 / 99/0 / 00/1 / 01/2 / 02/3 / 03/4 / 04/5 / 05/6 / 06/7size / 22 / 31 / 33 / 30 / 32 / 32 / 39 / 35 / 42 / 38 / 44 / 35
n / 17 / 14 / 9 / 11 / 32 / 0 / 3 / 3 / 6 / 6 / 6 / 6
FC/CF / FC / CF / CF / CF / CF / FC / CF / CF / FC / FC / CF / FC
mean / 48.5 / 40.3 / 52.2 / 60.9 / 48.3 / - / 56.0 / 59.8 / 45.3 / 52.0 / 64.5 / 48.2
min
/ 24 / 20 / 30 / 35 / 20 / - / 40 / 54 / 32 / 26 / 39 / 26max / 68 / 64 / 60 / 100 / 70 / - / 80 / 68 / 69 / 83 / 87 / 64.5
Table 1: Forensic computing / cyber-forensics module examination question results
In Table 2 the aggregate student assessment score for the forensic computing and cyber-forensics module is given for each academic year from 2000/1 onwards and is compared with the average score across all modules of the MSc where this data is available.
AY / 2000/01 / 2001/02 / 2002/03 / 2003/04 / 2004/05 / 2005/06 / 2006/07FC/CF / 90% / 79% / 62% / 65% / 79% / 80% / 72%
overall / - / - / - / - / 73% / 80% / 78%
Table 2: Forensic computing / cyber-forensics module student assessment scores
Although there is a significant year-to-year variation in these scores, it is not unreasonable to conclude that the forensic computing / cyber-forensics syllabus is as well received by the students as the more traditional forensic science material in the Masters programme.
5.0 Summary and Conclusions
The empirical data appear to support the contention that it is both possible and desirable to introduce cyber-forensics (and forensic computing) into a traditional Forensic Science Masters (or Bachelors) programme. Since the majority of the principles of conventional forensic science translate directly into the cyber-domain students assimilate them without difficulty. Equally they are intrigued by those properties of the cyber-world that necessitate the reformulation of certain traditional forensic science concepts, such as Locard’s exchange principle, and scoping and freezing the crime scene.
A natural corollary of these empirical findings for cyber-forensics, as well as forensic computing, would be its acceptance as an integral and valued part of mainstream forensic science by the Forensic Science Society in the UK and by the equivalent professional bodies in other countries. Some progress towards this goal is now being made in the EU under the auspices of the ENFSI Forensic Information Technology Expert Working Group [14].
Acknowledgements
The author would like to thank the many cyber-forensic colleagues who have offered him advice and encouragement over the past twenty years, particularly Jim Bates, Tony Sammes, Peter Sommer and Edward Wilding. He would also like to acknowledge the support and encouragement of the members of the MSc Forensic Science course team at King’s College London, and in particular David Cowan, Barbara Daniel and Terry Gough.
References
[1] Forensic Science Society:
[2] EnCase Forensic:
[3] Goodwin C (1995). Simulation at the Yard, IText (IT in Context)1(3), 4-8.
[4] Hydra:
[5] DelftTech VSF 3DBPA:
[6] Vanezis P, Blowes R W, Linney A D, Tan A C, Richards R and Neave R (1989). Application of 3-D Computer Graphics for facial reconstruction and comparison with sculpting techniques, Forensic Science International42, 69-84.
[7 NAFIS:
[8] IrisCode:
[9] VICAP:
[10] CATCHEM:
[11] Locard:
[12] Gutmann P, Secure Deletion of Data from Magnetic and Solid-state Memory, in Proc. Sixth USENIX Security Symp., pp.77-89, San Jose, California, July 1996
[13] Stoll C (1988). Stalking the Wily Hacker, Comm. ACM, 31(5), 484-497.
[14] Stoll C, The Cuckoo’s Egg, Pocket Books, 1998, ISBN 0-7434-1146-3
[15] ENFSI FIT EWG:
(URLs were accessed on 18 July 2007)