Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 30, 2013
Outline of the Unit l Objective of the Course l Outline of the Course l Course Work l Course Rules l Contact - Text Book: Guide to Computer Forensics and Investigations - Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart - Thompson Course Technology
Objective of the Course l The course describes concepts, developments, challenges, and directions in Digital Forensics. l Text Book: Computer Forensics and Investigations. Bill Nelson et al, l Topics include: - Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,
Outline of the Course l Introduction to Data and Applications Security and Digital Forensics l SECTION 1: Computer Forensics l Part I: Background on Information Security l Part II: Computer Forensics Overview - Chapters 1, 2, 3, 4, 5 l Part III: Computer Forensics Tools, File systems - Chapters 6, 7, 8 l Part IV: Computer Forensics Analysis - Chapters 9, 10 l Part V Applications - Chapters 11, 12, 13
Outline of the Course l Part VI: Expert Witness - Chapters 14, 15, 16 l Additional Topics for Exam #1 and Part 1 of class - Data Mining Malware, Insider Threat, Author Attribution - Selective Publication of Digital Evidence - Guest lecture on Frankenstein
Outline of the Course l SECTION II - Selected Papers from Digital Forensics Research Workshop as well as some other publications - Cloud computing and forensics - Dr. Lin’s lecture on Reverse engineering for Forensics - GIAC Certified Forensics Examination Review l What we have covered + Log analysis, registry analysis, windows artifacts analysis, mobile system forensics, browser forensics l Guest Lectures - Richardson Police Department - North Texas FBI (Friday afternoon) - Digital Forensics Company in DFW area
Course Work l Two exams 20 points each l Term paper 12 points l Programming project: 20 points l Digital Forensics project: 16 points l Four assignments each worth 8 points, total: 32 points
Tentative Schedule l Assignment #1 due date: September 20, 2013 l Assignment #2: due date: September 27, 2013 l Term paper #1: October 11, 2012 l Exam #1: October 18, 2013 l Assignment #3: October 25, 2012 – November 1, 2013 l Assignment #4: November 1, 2013 – November 8, 2103 l Digital Forensics Project: November 15, 2012 l Programming Project: November 22, 2012 l Exam #2: December 13, 2013
Term Paper Outline l Abstract l Introduction l Analyze algorithms, Survey, l Give your opinions l Summary/Conclusions
Term Paper Guidelines l Around 5 pages, single spaced, 12 point, time roman font l Take any topic related to forensics – e.g., crime scene analysis, file system forensics l Abstract and Introduction – 1 page l Discuss some of the techniques for that particular topic – 2 pages l Give an analysis of these techniques – 1 page l Conclusion – half a page l References – list all the references
Programming/Digital Forensics Projects – l Encase evaluation l Develop a system/simulation related to digital forensics - Intrusion detection - Ontology management for digital forensics - Representing digital evidence in XML - Search for certain key words
Course Rules l Unless special permission is obtained from the instructor, each student will work individually l Copying material from other sources will not be permitted unless the source is properly referenced l Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department
Assignments for the Class: Hands-on projects from the text book l Assignments #1 - Chapter 2: 2.1, 2.2, 2.3 l Assignment #2 - Chapter 4: 4.1, Chapter 5: 5.1, 5.2 l Assignment #3 - Chapter 9: 9-1, Chapter 10: 10-1 l Assignment #4 - Chapter 12: 12-1, 12-2, 12-3
Papers to Read for Exam #1 l September 20 l Author Attribution Large-scale Plagiarism Detection and Authorship attribution - (1) Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications - _dimva12.pdf (2) On the Feasibility of Internet-Scale Author Identification he%20Feasibility%20of%20Internet- Scale%20Author%20Identification.pdfhttp:// _dimva12.pdf he%20Feasibility%20of%20Internet- Scale%20Author%20Identification.pdf l September 27: Insider Threat Detection Pallabi ParveenPallabi Parveen, Nate McDaniel, Varun S. Hariharan, Bhavani M. Thuraisingham, Latifur Khan: Unsupervised Ensemble Based Learning for Insider Threat Detection. SocialCom/PASSAT 2012: Varun S. HariharanBhavani M. ThuraisinghamLatifur KhanSocialCom/PASSAT 2012
Papers to Read for Exam #1 l October 4: Secure publication of digital evidence (in XML) - Secure XML Publishing l Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third- Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): (2004) Elisa BertinoElena FerrariBhavani M. ThuraisinghamAmar GuptaIEEE Trans. Knowl. Data Eng. 16 l The proofs and the math are not needed l October 11: Secure publication of digital evidence (in XML) - pdf pdf - Network Forensics Analysis with Evidence Graph
Index to lectures for Exam #1 l Lecture #1: Digital Forensics (8/30/2013) (extra credit) l Lecture #2: Cyber Security Modules (8/30/2013) (not included in the exam) l Lecture #3: Data Mining for Malware detection l Lecture 4: Adaptive malware (not included in the exam) l Lecture 5: Data mining (not included in exam) l Lecture 6: Data recovery, evidence collection, preservation l Lecture 7: Data acquisition, processing crime scenes, DF analysis l Lecture 8: File systems and forensics tools l Lecture 9: Validation and recovery of graphic files, Steganography l Lecture 10: Network and application forensics l Lecture 11: Expert witness and report writing l Lecture 12: Plagiarism Detection and Author Attribution (Anduleep’s lecture)
Index to lectures for Exam #1 l Lecture #13 Unsupervised ensemble-based learning for insider threat (Nate’s lecture) l Lecture 14: Secure publishing of XML data (digital evidence) l Lecture 15 : Frankenstein guest lecture (not included in exam) NOTE: You need to understand the main concepts of the lectures, the book and the papers for the exam. You can skip the math details and the detailed algorithms
Papers to Read for Exam #2 (October 25) Database Forensics l l Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August– September 2004, pp. 504– Tamper Detection in Audit Logs l Did the problem occur? (e.g. similar to intrusion detection) l Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages , Chicago, June, l Who caused the problem (e.g., similar to digital forensics analysis)
Papers to Read for Exam #2 November 1, 2013 l XIRAF – XML-based indexing and querying for digital forensics l Selective and intelligent imaging using digital evidence bags - (Ryan) l Detecting false captioning using common-sense reasoning (James) l Forensic feature extraction and cross-drive analysis l A correlation method for establishing provenance of timestamps in digital evidence (Raul) l FORZA – Digital forensics investigation framework that incorporate legal issues (Eric) -
Papers to Read for Exam #2 November 8, 2013 l A cyber forensics ontology: Creating a new approach to studying cyber forensics (Grace) l Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem (Eric) l Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee (David) l Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. (Pedro) l Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace. (Daun)
Papers to Read for Exam #2 November 8, 2013 l "An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) (Jason) l l "A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) (Garrett) l l "Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) (Ryan)
Index to lectures for Exam #2 l Lecture 16: Secure Cloud Computing l Lecture 17 – Virtualization Security l Lecture 18 – Database Tampering – Thuraisingham l Lecture 19 – Guest Lecture – Memory Forensics l Lecture 20 – Guest Lecture – Mobile phone forensics l Lecture 21 – Some digital Topics for GCFE l Lecture 22 – Database Tampering - Byrd l Lecture 23 – Database Tampering – Raul Lecture 24 - Selective and Intelligent Imaging Using Digital Evidence Bags – Ryan l Lecture 25 – Cyber Forensics Ontology Lecture 26 – Android Forensics - Daun
Index to lectures for Exam #2 l Lecture 27: Detecting False Captioning – Byrd l Lecture 28 – Timeline Reconstruction l Lecture 29 – Bin Carver Lecture 30 - Arriving at an anti-forensics consensus l Lecture 31 – Guest Lecture – Space Traveler l Lecture 32 – P2P Investigation l Lecture 33 – Forza Framework l Lecture 34 - Advance evidence collection and analysis of web browser activity Lecture 35 - XIRAF – XML-based indexing and querying for digital forensics
Lectures: November 15 and 22 l November 15: l Guest Lecture: Mobile phone forensics l GCFE Exam topics (High Level) l Review for exam l November 22 l Guest Lecture VM Space Traveler l XIRAF paper l Review for exam
December 6 th and 13th l December 6 Tour of FBI Lab l December 13 l Exam #2
Contacts: Instructor - Dr. Bhavani Thuraisingham - Louis Beecherl Distinguished Professor of Computer Science - Executive Director of the Cyber Security Research and Education Institute - Erik Jonsson School of Engineering and Computer Science - The University of Texas at Dallas Richardson, TX Phone: Fax: URL: URL:
Contacts: Teaching Assistant l Mohammed Iftekhar l Teaching Assistant Computer Science PhD, Computer Science Erik Jonsson Sch of Engr & Com