The recent hacker attack on the University of Gießen has made many people aware that the threat posed by attackers from the Internet is continuously growing. In order to to learn from such security incidents, IT forensic scientists are required to investigate the 7 W questions of criminalistics: Who (perpetrator), What (crime), When (time of crime), Where (crime scene), how (sequence of events) and Which (Tools) and Why (motive). They use the digital traces left by the attacker to reconstruct the security incident and – ideally – to convict the perpetrator.


Through university contacts in the winter semester 19/20, I had the opportunity to offer the module “Digital Forensics” in the master’s program Business Information Technology at the Technical University of Middle Hesse (THM). As a pentester from the attacker’s perspective, I am already avoiding traces left behind during an attack and how they can be concealed. So the following topics were on the agenda for me:

  1. Hacking
  2. Anti forensics
  3. Reports
  4. Live forensics
  5. Disk analysis
  6. Application forensics
  7. Creation of malware
  8. Malware analysis
  9. Reverse Engineering

Following Sunzi’s quote – “You have to know your enemy to be able to defeat him” – I changed the perspective between the two opponents depending on the lecture unit and had the content discussed in the following scenario applied by the students:

Dubius Payment Ltd. is a recently established payment service provider that stores, processes and forwards credit card information. Since November 14, 2019 at 4:45 p.m. (Thursday), the production system has been experiencing breakdowns and its intrusion detection system has regularly reported unusually high network traffic by its payment gateway. Fearing a hacker attack, they asked the students as IT forensic experts to analyze the case.

In their practical work, collecting and analyzing digital traces on the live system, students found that an employee of the company tapped credit card data from the database at regular intervals. Just as like in reality, the students had to verify this conclusion and answer the question of whether the user had been the victim of a hacker attack himself or was actually responsible for the theft of the data via a subsequent data medium analysis of the suspect’s work computer. They compiled their results in the form of an expert report.

Of course, not everything went smoothly at the beginning. For example, I had to struggle with the construction of my planned laboratory: My goal was that the students would learn to use their own toolkit on a compromised system. So I replaced the Linux program “/usr/bin/ls” with the following “malicious code” on the live system:

#include <iostream>

#include <cstdlib>

using namespace std;

int main() {

cout << "I've got ya! ;)" << endl;

system("sleep 1");

system("sudo reboot");

return 0;

}

However, since “ls” is also used by init scripts, the malware led to an endless loop in the event of a restart. The use of an alias in Linux provided a better solution here. The students response to the course was great:

“It is the most exciting module in the entire master course. It is captivating and lots of fun”

Student

The previous comment contributed to my goal designing for a new online course for the binsec academy: The “Digital Forensics Training”, in which participants will certify as Binsec Academy Certified Digital Forensic Professional (BACDFP) in the future.