1. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 31, 2012

2. Outline of the Unit l Objective of the Course l Outline of the Course l Course Work l Course Rules l Contact - Text Book: Guide to Computer Forensics and Investigations - Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart - Thompson Course Technology

3. Objective of the Course l The course describes concepts, developments, challenges, and directions in Digital Forensics. l Text Book: Computer Forensics and Investigations. Bill Nelson et al, l Topics include: - Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,

4. Outline of the Course l Introduction to Data and Applications Security and Digital Forensics l SECTION 1: Computer Forensics l Part I: Background on Information Security l Part II: Computer Forensics Overview - Chapters 1, 2, 3, 4, 5 l Part III: Computer Forensics Tools - Chapters 6, 7, 8 l Part IV: Computer Forensics Analysis - Chapters 9, 10 l Part V Applications - Chapters 11, 12, 13

5. Outline of the Course l Part VI: Expert Witness - Chapters 14, 15, 16 l SECTION II - Selected Papers - Digital Forensics Research Workshop l Guest Lectures - Richardson Police Department - North Texas FBI - Digital Forensics Company in DFW area

6. Course Work l Two exams 20 points each l Term paper 12 points l Programming project: 20 points l Digital Forensics project: 16 points l Four assignments each worth 8 points, total: 32 points

7. Tentative Schedule l Assignment #1 due date: September 21, 2012 (September 28, 2012) l Assignment #2: due date: September 28, 2012 (new date: October 12, 2012) l Term paper #1: October 12, 2012 (October 26, 2012) l Exam #1: October 19, 2012 l Assignment #3: October 26, 2012 (November 30, 2012) l Assignment #4: November 2, 2012 (November 30, 2012) l Digital Forensics Project: November 16, 2012 (November 30) l Programming Project: November 30, 2012 l Exam #2: December 14, 2012

8. Term Paper Outline l Abstract l Introduction l Analyze algorithms, Survey, - - - l Give your opinions l Summary/Conclusions

9. Programming/Digital Forensics Projects – l Encase evaluation l Develop a system/simulation related to digital forensics - Intrusion detection - Ontology management for digital forensics - Representing digital evidence in XML - Search for certain key words

10. Course Rules l Unless special permission is obtained from the instructor, each student will work individually l Copying material from other sources will not be permitted unless the source is properly referenced l Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department

11. Contact l For more information please contact - Dr. Bhavani Thuraisingham - Professor of Computer Science and - Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080 - Phone: 972-883-4738 - Fax: 972-883-2399 - Email: bhavani.thuraisingham@utdallas.edubhavani.thuraisingham@utdallas.edu - http://www.utdallas.edu/~bxt043000/ http://www.utdallas.edu/~bxt043000/

12. Assignments for the Class: Hands-on projects from the text book l Assignments #1 - Chapter 2: 2.1, 2.2, 2.3 l Assignment #2 - Chapter 4: 4.1, 4.2 - Chapter 5: 5.1, 5.2 l Assignment #3 - Chapter 9: 9-1, 9-2 - Chapter 10: 10-1 l Assignment #4 - Chapter 12: 12-1, 12-2, 12-3

13. Papers to Read for Exam #1 l http://www.sciencedirect.com/science/article/pii/S1742287604000271 (crime scene analysis) http://www.sciencedirect.com/science/article/pii/S1742287604000271 l http://www.porcupine.org/forensics/forensic-discovery/chapter3.html (file system basics) http://www.porcupine.org/forensics/forensic-discovery/chapter3.html l http://www.fbi.gov/about-us/lab/forensic-science- communications/fsc/july2004/research/2004_03_research01.htm (Steganography overview) http://www.fbi.gov/about-us/lab/forensic-science- communications/fsc/july2004/research/2004_03_research01.htm l http://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf (network forensics, Iowa state U. paper) http://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf l Pallabi Parveen, Jonathan Evans, Bhavani M. Thuraisingham, Kevin W. Hamlen, Latifur Khan: Insider Threat Detection Using Stream Mining and Graph Mining. SocialCom/PASSAT 2011: 1102-1110Jonathan EvansBhavani M. ThuraisinghamKevin W. HamlenLatifur KhanSocialCom/PASSAT 2011 l Learn the details of one forensics tool

14. Index to lectures for Exam #1 l Lecture #1: Digital Forensics (8/31/2012) l Lecture #2: Cyber Security Modules (8/31/2012) l Lecture #3: Data Mining background (no date) l Lecture #4: Computer Forensics Data Recovery and Evidence Collection and Preservation (9/7/2012) l Lecture 5: Data Mining for Malware Detection (Tapes: 9/14/2012 l Lecture 6: File System Forensics (discussed 10/5/2012) l Lecture 7: Encase Overview (discussed (9/28/2012) l Lecture 8: Insider Threat – Ms Parveen Lecture (9/14/2012) l Lecture 9: Data Acquisition, Processing Crime Scenes and Digital Forensics Analysis (9/21/2012) l Lecture 10: Validation and Recovering Graphic Files and Steganography (9/28/2012)

15. Index to lectures for Exam #1 l Lecture 11: Expert Witness and Report Writing (10/12/2012) l Lecture 12: Network and Applications Forensics (10/5/2012)

16. Index to lectures for Exam #2 l Lecture 13: Secure Sharing of Digital Evidence (1) l Lecture 14: Richard Wartell Guest Lecture (10/26/2012) l Lecture 15: Detecting False Captioning (Marie Yarbrough) (0.5) l Lecture 16: Detection and Analysis of Database Tampering (1) l Lecture 17: Virtualization Security (0.5) l Lecture 18: Guest Lecture Mr. Satyen Abrol l Lecture 19: Smartphone Malware detection (Dr. Zhou) (1) l Lecture 20: Dr. Lin Lecture (1) l Lecture 21: Selective and Intelligence Imaging, Nicholas Charlton (0.5) l Lecture 22: XIREF, Antonio Guzman (0.5) l Lecture 23: Timestamps. Kirby Flake (0.5)

17. Index to lectures for Exam #2 l Lecture 24: Forza, Matt Lawrence (0.5) l Lecture 25: Anti forensics, Charles Sammons (0.5) l Lecture 26: Ontology for DF, Jason Mok (0.5) l Lecture 27: Anrdoid Anti Forensics, Michael Johnston (0.5) l Lecture 28: Forensics Investigation of peer to peer file sharing Nate Bleaker (0.5) l Lecture 29: Forensics Feature Extraction and cross drive analysis, David Pederson (0.5) l Lecture 30: Advanced Evidence Collection and Analysis of Web Browser Activity, Jeff (0.5) l Lecture 31: Secure Cloud Computing (0.5)

18. Papers to read Exam #2 (Lecture October 12, 2012) l Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third- Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) Elisa BertinoBarbara CarminatiElena FerrariAmar GuptaIEEE Trans. Knowl. Data Eng. 16 l Abhijith Shastry, Murat Kantarcioglu, Yan Zhou, Bhavani M. Thuraisingham: Randomizing Smartphone Malware Profiles against Statistical Mining Techniques. DBSec 2012: 239-254 Abhijith ShastryMurat KantarciogluBhavani M. ThuraisinghamDBSec 2012 l (this paper will be posted on e-learning. It is the lecture given by Dr. Yan Zhou)

19. Papers to Read for November 2, 2012 l http://www.cs.arizona.edu/people/rts/publications.html#auditing http://www.cs.arizona.edu/people/rts/publications.html#auditing l Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. - Tamper Detection in Audit Logs l Did the problem occur? (e.g. similar to intrusion detection) l Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. l Who caused the problem (e.g., similar to digital forensics analysis)

20. Papers to Read for November 2, 2012 l. Papers on Intelligent Digital Forensics l http://dfrws.org/2006/proceedings/7-Alink.pdf http://dfrws.org/2006/proceedings/7-Alink.pdf l XIRAF – XML-based indexing and querying for digital forensics http://dfrws.org/2006/proceedings/8-Turner.pdf l Selective and intelligent imaging using digital evidence bags l http://dfrws.org/2006/proceedings/9-Lee.pdf http://dfrws.org/2006/proceedings/9-Lee.pdf l Detecting false captioning using common-sense reasoning

21. Papers to Read for November 9 l Forensic feature extraction and cross-drive analysis - http://dfrws.org/2006/proceedings/10-Garfinkel.pdf http://dfrws.org/2006/proceedings/10-Garfinkel.pdf l A correlation method for establishing provenance of timestamps in digital evidence - http://dfrws.org/2006/proceedings/13-%20Schatz.pdf http://dfrws.org/2006/proceedings/13-%20Schatz.pdf l FORZA – Digital forensics investigation framework that incorporate legal issues - http://dfrws.org/2006/proceedings/4-Ieong.pdf http://dfrws.org/2006/proceedings/4-Ieong.pdf l A cyber forensics ontology: Creating a new approach to studying cyber forensics - http://dfrws.org/2006/proceedings/5-Brinson.pdf http://dfrws.org/2006/proceedings/5-Brinson.pdf l Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem - http://dfrws.org/2006/proceedings/6-Harris.pdf http://dfrws.org/2006/proceedings/6-Harris.pdf

22. Papers to Review for November 16 l Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http://www.dfrws.org/2011/proceedings/12-344.pdf http://www.dfrws.org/2011/proceedings/12-344.pdf l Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http://www.dfrws.org/2010/proceedings/2010-311.pdf l Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace. http://www.dfrws.org/2010/proceedings/2010-310.pdf