Automatically Creating Realistic Targets for Digital Forensics Investigation

The need for computer forensics education continues to grow, as digital evidence is present in more crimes, whether the crimes directly involve computers or not. An essential component of training in computer forensics is hands-on, realistic laboratory assignments. Creating detailed, realistic lab assignments, however, is a difficult task. The “crime” must be played out on the machine, often in real-time, since timestamps present in numerous places in the system, such as files and logs, must be discovered and examined by students. Developing, running, and evaluating the labs can be labor intensive and instructors have limited time to spend on creating and grading laboratory experiments. We are developing FALCON (Framework for Laboratory Exercises Conducted Over Networks), an extensible framework that addresses the problem of creating, running, and evaluating detailed, realistic computer laboratory assignments in computer forensics. FALCON includes a component that enables instructors to set up scenarios on virtual target machines for the students to investigate. Existing tools for both “live” and “dead” machine investigations can be integrated into FALCON. In addition, FALCON logs all student activity for automated assessment of student performance. Currently, FALCON is a work in progress and some tasks remain manual. The goal is to automatically transform high-level descriptions of digital forensics scenarios into detailed investigative targets which contain activities derived from the scenarios, as well as historical activity (timestamps, logs, history, etc.). While the initial version of FALCON focuses on computer forensics, it will be extensible to other areas, such as incident response, as well as general computer security instruction.