Computer Forensics Education

1. Introduction Traditional information security research focuses on defending systems against attack before they happen. More recently, security auditing has evolved to intrusion detection systems that are concerned with recognizing attacks and taking action to curb further damage at the time of the attack. Comparatively little research has focused on after the fact investigation, partly because network owners are willing to absorb losses from computer crime rather than risking their reputation by allowing details of their exploited vulnerabilities to become public. In the face of growing losses resulting from computer crime, interest in after the fact investigation and evidence gathering techniques is growing. An essential element in improving forensic techniques is development of a comprehensive approach to forensics education. In this paper we present requirements, resources, and proposed pedagogical approaches for developing and implementing a forensics program in higher education. In the next section we address the composition of a forensics workforce and follow with a discussion of curricula issues. We then present arguments for finding suitable resources for a forensic education program and conclude with a summary and recommendations. 2. Background. The term " computer forensics " is used in many contexts and has many synonyms. The term originated with early law enforcement practitioners who used the term to refer to the examination of stand-alone computers for digital evidence of all forms of crime. Some prefer to call this aspect of computer forensics by the term " media analysis ". As computers became larger and more networked, computer forensics became a term commonly used to refer to the post-incident analysis of computers victimized by an intrusion or malicious code. Particularly in the former instance, where network traffic is captured and analyzed, people may describe this as " network forensics " [1]. Some have argued that " forensic computing " is a more accurate term for either of these scenarios, especially since more and more digital evidence is being examined from objects not commonly thought of as computers (i.e. digital cameras). Despite this, we will utilize the generic term computer forensics to apply to both workstation and network-focused forensic disciplines. Occasionally, we also use the phrase Computer and Network Forensics or CNF when discussing Abstract While research is exploding on information security, the need for application of science and education to forensics for computer related crimes is largely limited to law enforcement organizations. At the recent Workshop on Computer Forensics, …