Teaching Digital Forensics Techniques within Linux Environments

Appropriately motivating digital forensics topics in an educational environment is a challenging task for a lecturer. Not only will the skill levels of the students vary widely, but designing a lab exercise that introduces a single concept runs the risk of requiring too much additional knowledge to appropriately describe the task or may easily devolve into a contrived example that does not allow the student to fully grasp the extent of the topic at hand. In some cases, this difficulty is compounded by the sheer amount of misinformation that results from years of common knowledge and research becoming invalid after changes to kernels and operating systems. Last year, the Honeynet Project Challenge 12 - "Hiding in Plan Sight" - and a computer security workshop sought to introduce some concepts regarding information and process hiding and disguising through a series of digital forensics labs. This paper will describe the components of these labs that were successful at motivating a core concept, as well as those that were not as successful and have been subsequently modified based upon feedback. These findings will be presented through a suggested lecture-lab format, and a series of scoped topics that can be used in other educational environments to motivate digital forensics and anti-forensics concepts. Scripts used to build each lab have also been provided to serve as a point of reference.