Cyber Forensics: An Academic Partnership with Pittsburgh Technical College

by Professor Phil Grabowski

One of the most important aspects to get a Cyber Security or Security Forensics job is to show evidence of work experience, internships, certifications, participating in Cyber Security Challenges, and degrees. Philip Grabowski Professor at Pittsburgh Technical College for the School of Information Systems and Technology does exactly that with hands-on experience in the classroom. Using a wide variety of forensics tools in the classroom for Digital Forensics, Ethical Hacking and Cyber Security.

Grabowski not only teaches the theory of forensics or Cyber Security he uses hackathon’s and cybersecurity challenges that are provided free of charge to his students from Symantec Coyote Diamond, IBM’s Master the Mainframe contest, Syracuse SEED Labs, and the Digital Forensic Research Workshop (DFRWS). More importantly, Grabowski insists on academic partnerships with industry technologies and companies.

Studies from Ponemon from the 2017 Cost of a Data Breach Study show us that the number of days to detect a breach is over 200 days.  It is imperative that students get acclimated to software in the classroom before they leave school because the average time an IT person gets to look at the software on any given IT day is about a half an hour maximum. That is why companies like AlienVault, Paessler PRTG, Correlog, Belkasoft, and Comodo provide an Academic Partnership and free software to PTC’s Information Technology students.

Students can obtain an associate’s degree in Information Systems in a concentration of Network Administration, Security, and Programming. They can continue their education at PTC with a bachelor’s of science with a concentration of Information Technology, Information Systems Security, and Information Systems Development.

PTC is also partnered with IBM Academic Initiative, Cisco, and Red Hat Academy. Using the tools in the classroom is imperative. We have three different Security Incident and Environment Management Software (SIEM’s) that can be used in the lab environment such as Alien Vault, IBM Qradar, and Correlog. Seeing all three products at any given time has advantages. Students get firsthand experience installing the product, patching the product, maintaining the product, and monitoring the resources of the product. Before they leave school they have the real hand on experience of an industry product that is used in the field.  This generates sales in the future because students have heard of the product and use the product.  They also become important voices to C-level management about products.

Several students that have graduated from the associate’s program have come back and stated that the knowledge they gained from using the software in the classroom helps them with their day-to-day operations. Companies that hire from PTC IT graduates are currently using AlienVault and PRTG.

The Ponemon study showed that a majority of the breached organization were notified by someone other than their own staff. Grabowski concludes that is a problem because IT people do not know the software used in the industry. They don’t have time to analyze the software and they don’t have time in their day to day operations to learn how to use the product. If it is in the classroom first we can literally send out hundreds of students a year with product knowledge. To be able to be a professional tester you must use the same techniques that a criminal hacker does to search for vulnerabilities.

At any given moment a student can spin up a virtual workstation on VMware Virtual Center Stack using hybrid Nimble Technology and create an entire infrastructure. Any distribution of Linux can be used as well as any Microsoft Operating System. Linux distribution for security includes Kali 2018, Deft, Paladin, and Security Onion. Grabowski also uses Syracuse’s University’s Security Education (SEED) labs provided by Dr. Kevin Wu, which are based on Ubuntu.  The SEED labs provide an abundance of training for information security education.

IBM Qradar a SIEM runs on Redhat, AlienVault runs on Debian.  Core log runs on anything and can be easily installed onto a Windows operating system. PRTG is also a self-install onto a Windows operating system. We have marketed these tools thoroughly in the cybersecurity realm. However, who has time to understand what is going on with the product? When we monitor things in something as common as Wireshark sniffer, we could literally learn something new every day.  When using something like Wireshark we can see everything happening we just need to learn how to filter it properly to find what we are looking for. Did a rogue device get an IP address from a Man in the Middle (MITM) attack? Did a Bluetooth device connect to the network or device? Was a door opened that was connected to a Google Hub? Did the Nest Smoke detector generate an encrypted alarm?

More importantly, as we start to understand these breaches, how did we detect them? How did we reconstruct the events? Using tools such as Belkasoft Evidence Center, Encase, FTK, Autopsy, or OSForensics in conjunction with Linux Distros of Kali for Pen testing.

Even more beneficial is to determine an actual false positive in a SIEM. Recently we were trying to detect torrent traffic on our network and we having problems popping the alarm. Then a week later the alarm popped up in the executive summary dashboard as torrent traffic. The port was reporting 17500, which isn’t common for torrent traffic. Torrent traffic is on ports 6881-6889. Was the port obfuscated? Pinging the IP address of the VM we retrieved a hostname which corresponded to a student ID. Upon questioning the student to determine if they were running torrent traffic they denied their involvement. Believable because the student was a trustworthy student. The research concluded that he opened DropBox on the computer, which indeed uses port 17500.

Students also participate in live hackathons or in Master the Mainframe contest. Symantec held a hack that included Ransomware. Students had to determine a bitcoin address, look in Wireshark to find the URL, gain admin rights of the website, and then convert the encrypted file using the key with Python. Technologies included Wireshark, bitcoin, Ransomware, PHP, Python, Linux.  In that particular hackathon, there is a tremendous gain of reconstructing events, which become a valuable asset to our skill sets that reinforce the theory in the classroom. We learn something new every day from the products we get to use every day.

About the Author

Phil Grabowski is an IT Network and Security Forensics Instructor at Pittsburgh Technical College located in Oakdale Pennsylvania. He has an AS degree in Specialized Technology Electronics from Penn Technical Institute, BS degree and Information Systems with a concentration in Security from the University of Phoenix, MS in Management with a concentration in Security from Colorado Technical University, and an MS in Information Systems and Communications from Robert Morris University. With over 20 years’ experience as a hardware technician in the field, he now teaches over 20 courses at PTC as a full-time faculty member. He is also an IBM z Champion for his work with Mainframe Technology.