I have been approached by several students and a few of the professors at the college I attend with an idea to start a class on Forensic Programming. The idea that I had was to begin with file structures, then do some scripting and end with GUI programming. Does anyone have any sugestions or ideas of what would make a good forensic programming class? Any ideas are welcome.
The idea that I had was to begin with file structures, then do some scripting and end with GUI programming.
What experience will be required? How long will it be?
More important What is the purpose of the course? The goal of it? Why should anyone sign up for it? What will they have learned once they've passed? Get *that* right, and you probably won't have to think about the contents any more.
Harlan, yes that book has come highly recomended from a variety of sources. My one professor was a federal investigator for 22 years and swore by that book. In addition to pearl are there any other scripting / programming languages that would be good to use. If I get this class running, most of the people taking it would be somewhat new to the programming field. Although I do believe that would make an excelent text book for that course.
Athulin, thanks for the response. Put into that context I think I will have a much easier time coming up with the idea. It was one that was tossed around, and with a background in forensic application development and teaching, I was approached to generate a proposal for the course. Never had to come at it from this end before though.
I wonder if our Professor would be willing to co-teach or assist with the course, Would be interesting to see if he's willing to stick around for a few more years. Let me know if you need any assistance with the course or proposal I can swing by the college on my days off. I just released all my programs for free to help the community. Ill go into more details later, but I am working on new program in the mean time.
Ryan Manley
Hi
I do agree that Windows Forensic Analysis is a good book, and Perl as an important scripting language. But I will also recomend Python. I have used scripts written in Python, and they have been very useful.
In addition to perl are there any other scripting / programming languages that would be good to use.
The issue is not so much the scripting language but the libraries which exist to manipulate the various types and formats of data that you will be wanting to examine.
PERL is a good choice because there already exist a number of modules to manipulate the Windows registry, file systems, etc.
Similar libraries/modules exist in Java, C and Python, to name a few as well as Visual X,Y,Z. If you look at the open source The Sleuthkit, you see an example of how externally developed libraries are integrated into a package which focuses on the forensic examination of file systems.
There is also Enscript if you have EnCase.
My point being that, first, it makes no sense to reinvent the wheel and, second, what is it that you are really trying to teach? These modules and libraries exist because someone had a need to manipulate data in a given format and chose a language to write a tool for that purpose.
In order to do that, they already had to have a knowledge of the layout, organization and significance of the data that they were manipulating. I would not think of this as "forensic programming" as much as it is applying a computer program to the analysis of data for forensic purposes.
The principle use of programming in computer forensics is to automate processes which are tedious, inefficient or prone to error when done, manually, or highly repetitive. The assumption would be that the programmer already knows what problem is to be addressed by the program and how to address it, and is ready to sit down and design and code a solution. Thus, you need to start with some task in computer forensics which meets one or more criteria for automation.
If, instead, you want to teach the fundamentals of Windows (or MacOS or Linux or whatever), as they would be used in a forensic examination, I wouldn't consider it a forensics programming course so much as an OS internals programming course (which I wouldn't want to teach to non-programmers).
Ok, I do see the point. One of the main purposes that I wanted to develop the class was to teach people the structure behind the files that they were looking at. For me, it was much easier to learn by programming a way of reverse engineering them. Would it be a better idea to have a class on reverse engineering common Windows artifacts? We have the classes that go over using software to find the files, but in the sixteen weeks we don't have much time to cover how that information is stored in the file. I feel that it is just as important to be able to look at a file in either a hex editor, or some other viewer and be able to tell what information is stored there in order to help understand how the software is retrieving the informaiton. Its easy to say, "the program found it," but it may be better to be able to say "this is how the program found it, and this is how I was able to verify it." So would it be better to offer a class on reverse engineering? (In which case Harlans book would still be very useful!)
Greetings,
It sounds like you want to teach an operating systems course. The one I took, years ago, covered file systems, memory allocation, scheduling, etc. In other words - how information is stored on disk and in memory.
Teaching reverse engineering wouldn't make much sense without this sort of background.
-David