Dr Sarah Morris
Digital Forensics Research Portfolio
Research Publications ~ 2014
Continued Development of a Masters Module on "Forensic Computing Using Linux"
Since 1998 the Centre for Forensic Computing at Cranfield University has offered short courses aimed at providing education to practitioners. In 2003 the Centre adapted the short courses to form a part time MSc program; in 2011 a full time version of the MSc was introduced. The Forensic Computing Using Linux Course was added to the program in 2007 and was developed to allow students to take the course as both a module on an MSc program, or as a short course. Since the introduction of this module both Forensic Computing Education and Linux Distributions have evolved; this has led to substantial changes to the content and delivery of the course.
Currently the aim of the module is to “develop a practical working knowledge and understanding of Linux, and open- source tools, as a platform for performing computer forensic examinations”. In order to meet this aim the syllabus currently covers a wide range of general Linux topics alongside sessions on forensic software, and the development of a forensic workflow. The course is taught over a single residential week with each lecture having a practical element; this provides the students with an opportunity to explore each concept using a structured practical as it is introduced to them. On the last day of the week the students are examined on the material. Accredited students also complete a piece of coursework.
For the next iteration of the course this paper proposes the development of material on portable Linux based devices and their role in the forensic computing devices. The paper also suggests the requirements for improving existing course content. Following the results of this research it is also proposed to change the assessment of the module through a practical exam and a scenario based coursework. The paper also highlights methods which could be used to strengthen the existing pre-work given to students a month before the residential module runs. In a recent restructuring of departments the Centre for Forensic Computing has joined the existing Cranfield Forensic Institute, leading to access to a wider range of forensic resources for teaching and research; this paper discusses the impact of this restructuring on the development of this module.
This paper examines the current state of the Forensic Computing Using Linux Module and looks at the system used for reflection and development of the module. The paper then examines alternative methods which could be used to assist the continual development of the module. This paper also includes a discussion on concepts which should be included when teaching Linux for Forensic Computing; this leads to a set of proposed course changes for the next iteration of the module. This paper contributes to a growing discussion with both the academic and law enforcement communities.
Full paper available on request
Morris, S; (2014); "Continued Development of a Masters Module on "Forensic Computing Using Linux""; Proceedings from 7th Cybercrime Forensics Education & Training. Canterbury Christ Church University, Canterbury, UK
Forensic Implications of Portable Operating System
C. Frewin, S.Morris
The development of portable technologies has made mobile computing publically available for mainstream use. The increased consumerisation of the IT industry has prompted a growing trend in the use of portable operating systems. Employers and industry have also begun to realise the cost and productivity benefits that accompany this trend. The speed and relatively low cost of hardware coupled with the availability of robust operating systems, which can be installed and run from a portable USB drive is providing further incentive to adopt this new technology. This portability offers greater freedom and flexibility in how and where users can work, as it allows the operating system to be run on any compatible host computer. These powerful devices may also be attractive to users who seek to perform unlawful activities. Historically digital investigations have centred around computers; leaving the seemingly innocuous USB device to be overlooked until later on in the case. Multiple storage devices are being seized more commonly, and the adage of them being used to only store files is rapidly becoming outdated.
This paper highlights the requirements for analysts to understand what constitutes a portable operating system. How these devices function, where and what they have been used for. This paper also investigates different portable devices, how they are created, the technologies involved and how their impact can be examined when they interact with the environment they are connected to. The aim of this paper is to provide a forensic examiner with a means of establishing the presence and usage of these devices, by examining the evidential value of the artefacts created as a result of the use of these types of technology
Full paper available on request
Frewin, C; Morris, S; (2014); "Forensic Implications of Portable Operating System"; Proceedings from 7th Cybercrime Forensics Education & Training. Canterbury Christ Church University, Canterbury, UK