A Term Project for a Course on Computer

Forensics
WARREN HARRISON
Portland State University, Oregon
__________________________________________________________________________________________

The typical approach to creating an examination disk for exercises and projects in a course on computer
forensics is for the instructor to populate a piece of media with evidence to be retrieved. While such an
approach supports the simple use of forensic tools, in many cases the use of an instructor-developed
examination disk avoids utilizing some key aspects of a digital investigation by overly focusing on the
mechanics of retrieval. We recently developed a course on computer forensics that utilized a large-scale, team-
based term project involving the forensics examination of a computer system. In this article we describe an
approach for providing examination disks for student use in a term project that reinforces the investigative
aspect of the process.
Categories and Subject Descriptors: K.4.2 [Computers and Society]: Social Issues - Abuse and crime involving
computers; K.3.2 [Computers and Education]: Computer and Information Science Education - Curriculum
General Terms: Security, Legal Aspects
Additional Key Words and Phrases: Student projects, computer crime, computer evidence
__________________________________________________________________________________________

1. INTRODUCTION
Over the past few years, computer departments have shown growing interest in both
research and education dealing with computer forensics, which has led to the introduction
of a large number of newly developed classes on the subject.
A significant issue involves the use of practical exercises within a forensics
curriculum. Most forensics classes involve at least the modest use of tools to extract
evidence from a hard drive. Such exercises require an examination disk containing
“evidence” that is to be discovered and retrieved by the student.
The typical approach to creating an examination disk for exercises and projects is for
the instructor to populate a piece of media (usually removable media such as a floppy
disk or a CD) with the evidence to be retrieved. Probably the most common example is to
require the student to find their certificate of completion or a document containing their
name or grade through a forensic analysis of the media. While such an approach supports
the simple use of forensic tools, we feel that in many cases the use of an instructor-
developed examination disk avoids utilizing some key aspects of a digital investigation
by overly focusing on the mechanics of retrieval.
We recently developed a course on computer forensics targeting upper-division
computer science undergraduates. This class utilized a large-scale, team-based term
project involving the forensics examination of a computer system. In this article we
describe an approach to providing examination disks for student use in the term project
that reinforces the investigative aspect of an examination.
__________________________________________________________________________________________

Author’s address: Warren Harrison, Department of Computer Science, Portland State University, Portland, OR
97207-0751 warren@cs.pdx.edu
Permission to make digital/hard copy of part of this work for personal or classroom use is granted without fee
provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice,
the title of the publication, and its date of appear, and notice is given that copying is by permission of the ACM,
Inc. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific
permission and/or a fee. Permission may be requested from the Publications Dept., ACM, Inc., 2 Penn Plaza,
New York, NY 11201-0701, USA, fax:+1(212) 869-0481, permissions@acm.org
© 2007 ACM 1531-4278/07/0600-ART1 $5.00.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006. Article 6.
2 ● W. Harrison

2. RECOVERY VS. INVESTIGATION

Exactly what the focus should be in a computer forensics course that is taught in a
computer science department is unclear. Our class was designed to be oriented towards
recovery of digital evidence in either civil or criminal legal proceedings, though our
emphasis was clearly at the criminal end of the spectrum. We found the categories of
computer forensics personnel identified in Yasinsac et al. [2003] helpful in identifying
topical content:

● Technicians carry out the technical aspects of gathering evidence, so they must
have sufficient technical skills to gather information from computers and
networks. They must understand both software and hardware on host computers
as well as the networks that connect them.
● Policy makers establish forensic policies that reflect the enterprise’s broad
considerations. It is the policy maker’s responsibility to see the impact of
forensics in the broader context of business goals and make the hard decisions
that trade-off forensics capabilities against issues of privacy. Although these
administrators focus on the big picture, they must be familiar with computing
and forensic sciences.
● Professionals are the link between policy and execution. The computer forensic
professional must have extensive technical skills as well as a broad and deep
understanding of legal procedures and requirements gained through either a
broader education or extensive experience. Moreover, the computer forensic
professional must understand the organizational perspective, to ensure that
policies are executed properly within the business context.

The goal of our course was to produce computer forensic professionals. Therefore, we
believe that there are certain skills students should possess at the end of the class, as
follows: the ability to

● identify relevant electronic evidence associated with various violations of

specific laws, including, but not limited to, computer crimes. Relevant evidence
is any evidence that makes the existence of a fact that is of consequence to the
case either more or less probable than it would be without the evidence. Two of
the skills that bear directly on this include (1) identifying the “elements of the
crime” and relating electronic artifacts to these elements; and (2) presenting
evidence to a nontechnical audience in a coherent, logical manner.
● identify and articulate probable cause as necessary to obtain a warrant to
search for electronic artifacts and recognize the limits of warrants. We felt this
was important because not only was there widespread misunderstanding of
probable cause issues and 4th Amendment/statutory protections among the
students, but there was also a serious misunderstanding of the criminal justice
system and related processes.
● locate and recover relevant electronic evidence from computer systems using a
variety of tools. This entails the use of actual forensics tools on “seized” media.
We used the e-fense Helix Forensics Distribution (http://www.e-
fense.com/helix/). Helix is a bootable CD containing many open source forensic
tools, including Brian Carrier’s sleuthkit and autopsy (http://www.sleuthkit.org)
that allows a “live” analysis of a computer system. It boots into a customized

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 3

Knoppix environment that does not impact the host computer or its drives in any
way.
● recognize and maintain a chain of custody of electronic evidence. Any evidence
that ultimately makes its way to judicial review must demonstrate tight controls
over its access, commonly referred to as a “chain of custody.” At any given
point in time, it should be possible to identify who had possession of the
evidence, where it was, and what it was accessed for. Students need to
understand the importance of, as well as become accustomed to, enforcing a
chain of custody.
● follow a documented forensics investigation process. Students regularly report
that when they perform their first forensic analysis, their approach to identifying
evidence is very much “hit-and-miss.” Often times they could not even
remember the strings for which they had already searched from session to
session. Ultimately, this leads to an inefficient, unrepeatable ad-hoc process.
Investigators should plan their investigation before attempting a forensic
analysis of the evidence disk.

We wanted students to have an opportunity to exercise each of these skills, and we

viewed the term project as the ideal vehicle to provide it.
3. THE ROLE OF THE PROJECT IN A COMPUTER FORENSICS COURSE
Our course was designed for a 10-week quarter. When designing the class, we had the
option of using either a set of weekly graded exercises, or a major project spread over 7
of the 10 weeks in which students could exercise the skills and knowledge being covered
in class. While in theory, we could have selected both the graded exercises and the term
project, we were reluctant to overwhelm the students with what might be considered
redundant activities.
Our view of the “exercise option” was that it would revolve around the traditional
evidence discovery, recovery, and related activities; for example, imaging drives,
recovering deleted files, keyword searches, and hashing and hash utilization. On the other
hand, our vision of a term project was an exercise that would closely emulate a real
investigation involving digital evidence. This would entail not only the discovery and
recovery of evidence, but also planning the investigation, distinguishing between relevant
and nonrelevant evidence, articulating probable cause, and observing the bounds of a
search warrant.
We decided to select a term project over weekly exercises because we felt weekly
exercises would emphasize the technician aspect of computer forensics too much. We
wanted students to understand the context within which a digital investigation exists,
since this is important for the computer forensic professional.
While we had not originally anticipated it, we also found that the use of a project gave
students the time and opportunity to investigate tools and techniques that would not have
been encountered in preplanned weekly exercises. For example, even though Helix was
the de facto tool kit discussed in class (and used in in-class hands-on exercises), we
invited students to investigate other open source forensics tools and tool kits as they
carried out their project (e.g., http://www.opensourceforensics.org/).
4. PROJECT CHARACTERISTICS
The project needed to possess a number of important characteristics because our focus
was split between the technical aspects of evidence discovery and recovery, as well as the

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

4 ● W. Harrison

Figure 1

Figure 2

investigatory aspects such as identifying relevant evidence, articulating probable cause,

observing the limits of a search warrant, and maintaining a chain of custody.
First, we wanted students to work within a realistic environment. This meant students
needed to deal with a rich set of potential evidence—some relevant and some irrelevant
to the investigation. We felt this would require access to evidence disks containing a
large amount of data. In our case, we used 20-gigabyte (G) hard drives loaded with XP
and Office XP as the evidence disks.
Second, to truly motivate the chain of custody concept and illustrate its importance,
we found that students had to believe that it was not only possible but in fact likely that
others would have access to their evidence disks. We forced this situation by organizing
the project around a set of three-person teams. Within this context, students rapidly
understood the importance of the chain of custody and associated controls such as media
hashing to verify that the contents of the evidence disk had not changed since the student
last had custody of the media. This arrangement also encouraged communication and
scheduling among team members, which is a major goal within the Portland State
University computer science program.
5. A FORENSICS EDUCATIONAL LABORATORY
The project was facilitated using the infrastructure provided by our Computer Forensics
Educational Laboratory. This facility consists of 15 dedicated workstations with bays for
removable drives (Fig. 1), and a set of evidence lockers (Fig. 2)—one locker per team—
to illustrate chain of custody. This enabled members of a team to check their evidence

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 5

disk out from their locker, install and analyze it on any free machine in the Lab, and
return it to secure storage when they were done.
In addition to the 15 workstations with single removable drive bays, there was also an
“imaging station” consisting of a Linux-based PC with two removable drives so teams
could use dd to image original evidence drives and create analysis drives. Thus, if the
contents of a drive were to change, the team could reimage the original evidence drive.
The dedicated nature of the Lab made access easy for our forensics teams. This was
important, since imaging and doing string searches over a 20-G hard drive can take hours.
However, an open Lab would have worked equally well as long as the workstations had
removable drive trays, each team had secure locker storage, and either liberal access
policies or scheduled signups were made available to allow extended sessions.
Our removable bays and extra trays cost under $25 per computer and the lockers were
obtained from a surplus furniture outlet for approximately $100. In addition, each team
was assigned two 20-G hard drives (one for the original evidence disk and one for the
image) at a cost of approximately $70 per team. A specia-purpose imaging machine can
be assembled from surplus components for under $400.
Given an existing computing capability, a forensics infrastructure upgrade can be put
into place for approximately $100 per team, plus $500 for a dedicated imaging
workstation and a set of secured evidence lockers.
6. THE PROJECT
The project consisted of three phases. Phase I entailed the creation of an evidence disk.
Phase II involved swapping the evidence disks among the teams and finding relevant
evidence from the evidence disk. Phase III was a presentation to the rest of the class
outlining the evidence retrieved in Phase II. Each of these phases is further explained
below.
Phase I. In the first phase of the project, each forensics team was provided with a 20-
G removable hard drive, formatted using FAT-32 and containing Windows XP and
Office XP. The team was instructed to select two crimes from the list in Table I. These
are Oregon state crimes (http://www.leg.state.or.us/ors) that frequently involve digital
evidence. A similar list could be easily constructed for any other jurisdiction.
Each team was to identify one primary crime and (at least) one secondary crime. The
team would prepare a crime summary for the primary crime. The summary should clearly

Table I. Selected Oregon Crimes

164.125 Theft of services
164.345/354/365 Criminal mischief
164.377 Computer crime
165.007/013 Forgery
165.017/022 Criminal possession of a forged instrument
165.032 Criminal possession of a forgery device
165.055 Fraudulent use of a credit card
165.080 Falsifying business records
165.100 Issuing a false financial statement
165.800 Identity theft
165.810 Unlawful possession of a personal identification device
165.813 Unlawful possession of fictitious identification
163.732 Stalking

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

6 ● W. Harrison

Table II. ORS 165.055 Fraudulent Use of a Credit Card

(1) A person commits the crime of fraudulent use of a

credit card if, with intent to injure or defraud, the person
uses a credit card for the purpose of obtaining property or
services with knowledge that
(a) the card is stolen or forged; or
(b) the card has been revoked or canceled; or
(c) for any other reason the use of the card is
unauthorized by either the issuer or the person
to whom the credit card is issued.
(2) “Credit card” means a card, booklet, credit card number
or other identifying symbol or instrument evidencing an
undertaking to pay for property or services delivered or
rendered to or upon the order of a designated person or
bearer.

identify the primary crime, the identity of the individuals involved (both suspects and
victims), as well as indicating any relevant physical evidence.
An example of a crime summary prepared by one of the forensic teams is provided in
Appendix I.
After preparing the crime summary, the team was to make use of the standard
productivity tools found on the hard drive, as well as any freely available tools that could
be downloaded from the Internet to manufacture evidence relevant to the crime at hand.
In essence, the team was asked to “play the criminal.” The teams were instructed to make
sure that the various pieces of evidence were manufactured in a number of forms: from
obviously named files (e.g., “StolenCreditCardNumbers.xls”) stored in plaintext, to files
that had been renamed and/or had improper extensions, and deleted files. This ensured
that every team would achieve at least some level of success in finding some evidence.
For example, if the primary crime involved ORS 165.055 Fraudulent use of a credit
card (see Table II), and the crime summary indicated that a credit card was used to
fraudulently purchase a particular item from the Internet, we might expect to find
evidence (such as cookies, cached web pages from the online store at which the purchase
was allegedly made, or an e-mailed invoice of such a purchase) on the computer’s hard
drive.
The team was also to perform a similar activity in the context of the secondary crime;
however, no crime summary was to be prepared for the secondary crime. The point of the
secondary crime was to provide an opportunity for the examination team to find evidence
of a crime that would fall outside the scope of the associated search warrant.
Students must understand the elements of the crime to effectively carry out this
activity. If the elements of the particular crime were ignored, the team could spend a
great deal of effort manufacturing irrelevant evidence while neglecting to manufacture
any relevant evidence. For example, in the case of fraudulent use of a credit card, the
elements of the crime are (see Table II):

(1a) an intent to injure or defraud;

(1b) the card is used to obtain property or services;

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 7

(1c) the actor has knowledge that the card is stolen forged, revoked, canceled, or its
use is otherwise unauthorized.

The team could spend a great deal of effort generating spreadsheets of “stolen” credit
card numbers, which could be absolutely irrelevant to the investigation of this crime
while omitting proof the card was used to obtain property or services or that the actor had
knowledge that use of the card was unauthorized.
While important in Phase I of the project, recognition of the elements of a crime
becomes essential in Phase II when the teams are tasked with finding relevant evidence.
Not surprisingly, this was one of the aspects of an investigation with which technical
students appeared to have the greatest trouble in both Phase I and Phase II.
In addition to turning in their manufactured evidence disk and crime summary, each
team also turned in an index of each piece of evidence deposited on the hard drive. For
example, the location of all manufactured cookies and files, as well as their evidentiary
significance would be listed.
Phase II. At the beginning of Phase II, the evidence disks and associated crime
summaries prepared by each team were randomly swapped among the other teams in the
class. Each team was tasked with identifying and recovering relevant evidence within the
context of the crime summary associated with the evidence disk. The disk swap was
“double blind,” so it would be difficult for teams to solicit or volunteer hints as to where
the evidence was located. Questions that were necessary due to shortcomings in the crime
summary (e.g., what is the credit card number that was stolen?) were filtered through the
instructor to maintain anonymity.
The first step performed by each team was to study the crime summary and study the
statutes from Table I. Based on their understanding and the statutes, the team could
establish the most appropriate crime and enumerate the elements of the crime. Once the
elements of the crime were identified, the team knew the facts to be proven, and
consequently the types of evidence they should look for on the evidence disk.
Each team began the examination process by imaging the original evidence disk to
create the working investigation disk. The original disk was put into the custody of the
instructor (to ensure it could be recovered if necessary) and the investigation disk was
used by the team to obtain relevant evidence.
Each team was provided with a combination lock to their lockers and a chain of
custody check-out form (see Appendix II). Team members signed out the evidence disk
from the locker and signed it back in when they were finished with it. In addition, the
team was also provided with a bound Mead composition notebook in which to take notes
describing each analysis session. At the very least, the notes were to document the time
and date of each session as well as the operations carried out on the investigation disk and
their results.
The compilation of working notes was stressed as an important way to keep from
repeating operations that had already been performed as well as preventing the team from
overlooking an analysis that they had planned to carry out. The notes could also be cross-
checked with the chain of custody to ensure team members adhered to the checkout and
documentation procedures.
Students were given a broad scope in the tools used to recover evidence. Each team
was provided with a Helix CD, but they were invited to acquire or build other tools that
they might need. Most teams used Altheide’s paper on forensic analysis of Windows-
based systems [Altheide 2004] as a starting point in their analysis of the evidence drive.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

8 ● W. Harrison

Phase III. At the end of seven calendar weeks (approximately three weeks for Phase
I, a one-week break to allow the instructor to administer the evidence disks, and three
more weeks for Phase II), each team was to present the evidence they had obtained.
Each team prepared a 20-minute PowerPoint presentation to document the evidence
recovered by their examination, which included the following information:

● the crime and its elements

● location of the evidence
● how it was found
● its relevance to the crime under investigation.

This information was presented to the rest of the class and assessed on its technical
correctness, how well the team was able to explain how they retrieved the evidence, and
its significance. During the presentation, individual team members were also extensively
questioned to determine their ability to articulate their activities and the details of their
tools to a nontechnical audience, such as they would to a jury in a court proceeding.
7. ASSESSMENT
Because the course is intended for upper division computer science majors, many of the
technical issues involved in computer forensics, such as file system organization and file
structures were assumed to pose no significant challenge to the students. Of first
importance is the ability of students to recognize relevant evidence and understand the
unique statutory and constitutional limitations involved in searching electronic artifacts
[Harrison 2004]; of second importance is an awareness of, and the ability to use, common
forensics tools.
The students’ mastery in

● identifying relevant electronic evidence associated with various violations of

specific laws including, but not limited to, computer crimes;
● articulating probable cause as necessary to obtain a warrant to search for
electronic artifacts, and recognize the limits of warrants;
● locating and recovering relevant electronic evidence from computer systems
using a variety of tools;
● recognizing and maintaining a chain of custody of electronic evidence; and
● following a documented forensics investigation process

was assessed using three artifacts: (1) the crime summary and evidence disk from Phase
I; (2) the Phase III presentation detailing the evidence they found and how they went
about finding it; and (3) a take-home examination distributed in week 8. In addition,
because artifacts (1) and (2) assessed team vs. individual performance, a peer evaluation
form was completed by each team member and the “working notes” were reviewed to aid
in assigning individual grades.
Assessment Artifact (1). In the evaluation of the evidence disk and crime summary,
the evaluation centered on the team’s ability to accurately identify the elements of the
selected crime and engineer plausible evidentiary objects. For example, in the case of
fraudulent use of an individual’s own credit card, two elements of the crime are 1) the
card is used to obtain property or services, and 2) the actor has knowledge that the card is
stolen, forged, revoked, canceled, or its use is otherwise unauthorized. Evidence of the
first element may involve cookies from an e-commerce site, an e-mail confirming a

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 9

purchase, or a number of other objects; evidence of the second might consist of an e-mail
from the credit card company indicating the card has been revoked, or conversely, an e-
mail from the actor to the credit card company prior to the purchase in question asking
for the card to be canceled because it was stolen. Within the context of a computer
forensics analysis, this ability is important, because if students know plausible and
adequate evidence to engineer, they’ll also know not only where to look for this evidence,
but what evidence is relevant. This can easily be determined by examining the index that
is turned in with the manufactured evidence disk.
Assessment Artifact (2). The investigation process and evidence recovery is
documented in the teams’ presentations (PowerPoint slides), plus questioning during the
presentation. This presentation should detail the procedures followed and the tools used.
Unlike the first assessment artifact in which we looked for things the teams had done, the
second assessment involved looking for things the teams had not done. The ability to find
all relevant evidence was deemed less important than following a systematic, disciplined
analysis procedure and accurate identification of whether evidentiary items were relevant
or not. Consequently, we looked for evidence that a systematic procedure was not
followed or that “evidence” located by the team was not relevant or adequate to prove the
elements of the crime. We also were concerned that appropriate tools were used, and
cogent explanations of what the tools actually identified (e.g., in the case of deleted files,
could the team explain how the file was recovered?). Part of this can be gleaned from the
PowerPoint slides and presentation, the rest can be obtained through questions and
answers during the presentation.
Assessment Artifact (3). Two weeks prior to the end of the term, a take-home
examination was distributed to each student (see Appendix III). The examination
provided an opportunity to assess each student’s knowledge of search and seizure issues,
including probable cause, the Fourth Amendment and the Electronic Communications
Privacy Act, as well as various technical details.
In the final analysis, the course met all of its goals. The students came away with an
enhanced understanding of both the role of electronic evidence in criminal prosecution,
as well as the nontechnical limitations imposed on the forensic analyst by the courts and
the law. This background will serve those students well who intend to enter the field (out
of a class of 15, at least 2 have taken positions dealing with computer forensics upon
graduation).
8. LESSONS LEARNED
This article describes our first attempt at organizing a computer forensics term project. As
can be expected, a number of important lessons were learned that we intend to use in our
next offering.
Commercial Sites Encode Cookies
A great deal of digital evidence in a case involving credit card fraud or identify theft can
involve Internet cookies that are placed on a hard drive as a by-product of visiting certain
websites. Forensic teams had a great deal of difficulty decoding various proprietary
cookie formats. For example, an Internet Explorer cookie might look like this:

SITESERVERID=729d8ae906ae5f49258cfa9aa34db74echeapert
handirt.com/153664285900831887777267732796829631142*

Since there is not a convenient mechanism to decode these proprietary formats short of
contacting the company as well as teams involved in extracting evidence.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

10 ● W. Harrison

We intend to overcome this problem in future forensics projects by providing

specially engineered “electronic commerce sites” that store transaction info in plain text
for ease of recovery.
Proprietary File Formats
As with cookies, there are a number of common productivity tools that use proprietary
formats for files and logs. For example, Outlook artifacts cannot be read directly by most
analysis tools. Because Helix was primarily used to analyze the contents of the evidence
disk, many teams couldn’t interpret e-mails manufactured using Outlook. For example,
an Outlook entry might look like this:

ÿ×ÿÿÿø~x÷×?ÿ ü•ÿÿŸÿÿÿÿÿÿÀ
ü•ÿÿûŸÿÿÿÿýÿÿþ•ÿÿûÿÿñÿÿÿÿÿþÿÿÿÿïÿÿÿÿÿÿ•ÿ¿ÿÿÀÿÿÿýÿÿÿþÿÿ
ÿÿÿÿÿÿÿÿÿÿÿùÿÿÿÿÿóÿÿÿøÿÿÿçÿýÿÿçÿüÿÿûü?ÿÿüÿÿÿÿÿÿÿÿÿÿÿŸÿ
ÿÇÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿñÿÿÿ•ÿÿŸÿ÷ÿÿÿÁÿÿÿŸÿÿÿÿÿ¿ÿÿÿÿø?ÿ
ÿÿÿÿþÿÿÿÿÿð?ÿÿø ÿÿ ÿûÿÿüÿðÿÿÿÿÿÿÿÿÿÃÿþÿýÿÿÿÿÿÿÿü?ð
ÿÿÿÿÿþø„„ D Žõ . ä•ž•F eß4ä) ´P "* èP
" $* Q " Ä+ pS " ä+ ¤S ",
ØS " $,
T " D, TT " d, ˆT " „, ¼T
" ¤, ðT " Ä, ,U " ä, tU "
- °U " $- ìU " Ä- ÜV ‚€ “R“
âq ”ÔM € ²N ¤ ²<N À¦ ² tO @; AZ++M???????

To address this problem in future project offerings, we plan to use open source
productivity tools that use plaintext for files and logs. For example, Mozilla stores its
saved e-mail in plaintext so it is easy to process.
Security by Obfuscation Isn’t
Several student teams downloaded large amounts of irrelevant content to “pack” their
evidence disk. For example, random images and databases all helped maximize the use of
the 20-G hard drives. While the examination teams found the large amount of irrelevant
data mildly annoying, the challenges it contributed to the analysis wasn’t worth the effort
expended to obtain it. In future classes, teams will be cautioned to avoid investing
inordinate amounts of effort in finding “random data” with which to pack the evidence
disk.
9. CONCLUSION
The project described in this article provides computer forensic students ample
opportunity to carry out a realistic computer investigation. Most importantly, it avoids a
fixation on the mechanistic recovery of data using automated forensics tools and helps
the student focus on the significance of evidence. Nevertheless, we have learned some
valuable lessons on how to improve the experience for future offerings.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 11

APPENDIX I
SAMPLE CRIME SUMMARY

On the morning of Friday, October 29, 2004, Clackamas County Sheriff’s Deputies
arrived at 1415 Redneck Way to serve a search warrant for Igor Sikorsky at that address.

The Clackamas County Sheriff’s Department had received a tip from Detective Gates
with the San Luis Obispo Police Department regarding a case wherein a resident of San
Luis Obispo, Ms Regina Reginald, had reported illegal use of her Visa card to the
Department. Follow-up work by Detective Gates had resulted in a subpoena being issued
to Specialized Bicycle’s web sales department for their records, yielding the address to
which the bicycle ordered with Ms Reginald’s credit card had been delivered.

Deputy Sellers and Deputy Riggs served the warrant at 08:29 AM, knocking twice on
the door. They reported hearing someone scrambling towards the back of the residence,
away from the front door. At this time the deputies used an entry device to batter down
the door and enter the residence. The deputies caught sight of Sikorsky running around a
corner at the end of the main hallway, and gave chase. They caught up with him in the
garage, where he was standing hunched over a computer desk, using the mouse. Upon
hearing the deputies enter, Sikorsky dived underneath the desk and pulled the power cord
to the computer, shutting it down. At this point the deputies quickly subdued Sikorsky.

The deputies located a Specialized bicycle whose model matched the one that the
information from Detective Gates indicated was the very one purchased with the stolen
credit card. Also discovered in the garage were a George Foreman Grill™ and an X-Box
gaming console, both in their respective boxes. The Foreman Grill still had a packing slip
attached to the box from Amazon.com (see evidence item #138) with the name “Richard
Stallman” listed as the recipient. It featured credit card and shipping information.

Also discovered on a work bench in Sikorsky’s garage was an Oregon State Driver’s
license, featuring Sikorsky’s photo but bearing the name of one “Paul Allen.”

The suspect’s computer was seized along with the above-mentioned items and
Sikorsky was taken into custody. He was booked into Clackamas County Jail at 09:38
AM.

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

12 ● W. Harrison

APPENDIX II
CHAIN OF CUSTODY FORM

Digital Evidence Custody Form/Page 1 of 5

Evidence ID# ____________________________________

Case # _________________________________________

Investigation Team ________________________________

Date Time Out Time In Name/ID Remarks

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

 A Term Project for a Course on Computer Forensic ● 13

APPENDIX III
FINAL EXAMINATION
1. A reporter with the Vanguard (the PSU student newspaper) is working on a story
involving the sale of crack on campus. The reporter has stored his interviews with
campus crack users on the Vanguard server in Smith Center in anticipation of writing
the story. (A) Portland police detectives obtain a search warrant that authorizes them
to seize the contents of the servers’ hard drive in order to obtain the name of the
primary PSU crack dealer that they believe appears in one of the interviews. When
challenged, do you think this search will be ruled legal? Explain. (B) Assume the
reporter is shocked by the information he uncovers in the process of interviewing
PSU crack users. Several tell him that a local private university is selling crack to
PSU students to augment declining budgets. He contacts the Portland Police Bureau
vice squad and volunteers this information. Based on this “tip,” detectives request and
receive a search warrant to seize information from that university’s institutional
server, which contains financial information regarding the crack purchases and sales.
When challenged, do you think this search will be ruled legal? Explain.
2. While investigating a stalking complaint, the victim, Suzie Queue, provides detectives
with copies of two e-mails from a Yahoo user named pippi_longstalking:

• E-Mail #1: Dear Suzie: I saw you in the forensics class last week. It was love at
first sight. RD.
• E-Mail #2: Dear Suzie: I own a very large knife. Some day I may show it to you.
Especially if you won’t reciprocate my love for you. RD.

(A) The detective assigned to the case decides to contact Yahoo and see if they can
supply the real name of pippi_longstalking. What does the detective need to supply in
order to compel Yahoo to provide this information? Explain. (B) Assume the
detective not only wants to obtain the real name of the user, but she also wants copies
of all e-mails this user has sent over the past 90 days. What does the detective need to
supply in order to compel Yahoo to provide this information? Is this answer different
from the one from (A)? Explain.
3. In the stalking case discussed in Question 2, the detective has been able to obtain both
the real name of the owner of the Yahoo login pippi_longstalking as well as all e-
mails that have been sent from this account over the last 90 days. The owner of the
account is named Rufus Dufus. The acquired e-mails include the two e-mails initially
provided by Suzie Queue. (A) Do you believe this provides evidence of stalking?
Explain. (B) After obtaining Rufus Dufus’ name and copies of the e-mails sent from
the Yahoo account, the detective contacts Rufus at home. When confronted with the
e-mails, Rufus explains that he had obtained the Yahoo account for a class in January,
but had forgotten the password, so he created another Yahoo login: “stiletto”, and had
let the pippi_longstalking account go unused since February. He doesn’t know who
sent the e-mails, but he swears it wasn’t him. He gives the detective permission to
search his home computer in response to the request “may we check your computer to
verify that you no longer use the Yahoo login pippi_longstalking?” List the artifacts
for which the detective should be looking for to either support or refute Rufus’
assertion that he no longer uses this Yahoo login. Explain.
4. While the detective has Rufus’ computer from Question 3, she decides to look for
evidence that Rufus is the stalker. (A) What artifacts should she be looking for?

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.

14 ● W. Harrison

Explain. (B) Assuming she finds this evidence, do you think it would be considered a
legal search if challenged? Explain.
5. Rufus’ computer is running Windows 2000 with the FAT32 file system. Select two of
the artifacts you identified in Question 4. Let’s say, Rufus deleted artifact #1, and
emptied the recycle bin. Then, Rufus deleted artifact #2, but failed to empty the
recycle bin. (A) Explain what the file system would look like – show an example. (B)
What tools might be used to recover these two deleted files? How do they work?
6. In the process of interviewing professors that have had both Suzie and Rufus in their
classes, the detective finds that in one class, Suzie and Rufus were assigned a team
project last January. However, Rufus did not follow through with the work he had
promised, and as a result, both he and Suzie received a low grade in the class. Several
other students said that Suzie was very angry with Rufus. The detective becomes
suspicious that Suzie may have used Rufus’ dormant Yahoo account to send herself
the e-mails. (A) Based on this theory, do you think the detective has probable cause to
search Suzie’s computer? Explain. (B) If Suzie’s computer was searched, list the
artifacts for which the detective should be looking. Explain.
7. Let’s assume the detective could not get a warrant. (A) What could the detective look
for that would not require a warrant to search Suzie’s computer? Explain. (B) What
could this information be used for? Explain.
8. In the process of searching a hard drive, the investigator may execute a “keyword
search”. (A) Explain the difference between a logical and physical search. (B) Which
is more accurate? Explain.directly for information on their formats, this caused
significant problems for both teams in manufacturing evidence
ACKNOWLEDGMENTS
Many thanks to the students in past and future computer forensics courses as well as to
Golden Richard of New Orleans University who convinced me that others may be
interested in using this approach. Thanks are also due to Anna Carlin and David Manson
of the California State Polytechnic University, who adopted this approach to structuring a
forensics class project [Carlin et al. 2005] after attending a presentation made by the
author at the First Annual IFIP WG 11.9 International Conference on Digital Forensics at
the University of Central Florida in February 2005. It is only through a willingness by
others to replicate new ideas that the viability of any pedagogical technique can be truly
evaluated.
REFERENCES
ALTHEIDE, C. 2004. Forensic analysis of Windows hosts using UNIX-based tools. Digital Investigation (Sept),
197-212.
CARLIN, A., CURL, S., AND MANSON, D. 2005. To catch a thief: Computer forensics in the classroom. In
Proceedings of the 22nd Annual Information Systems Educators Conference (Columbus, OH, Oct.),
Association of Information Technology Professionals, Chicago, IL.
HARRISON, W. 2004. The digital detective: An introduction to digital forensics. In Advances in Computers, vol.
60, M. Zelkowitz, ed., Academic Press.
YASINSAC, A., ERBACHER, R., MARKS, D., AND POLLITT, M. 2003. Computer forensics education. IEEE
Security & Privacy (July/Aug.), 15-23.

Received March 2005; revised January 2007; accepted January 2007

ACM Journal of Educational Resources in Computing, Vol. 6, No. 3, September 2006.