Digital Forensics

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

Introduction to the Course

August 30, 2013

Outline of the Unit

Objective of the Course Outline of the Course Course Work Course Rules Contact

- Text Book: Guide to Computer Forensics and Investigations

- Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart

- Thompson Course Technology

Objective of the Course

The course describes concepts, developments, challenges, and directions in Digital Forensics.

Text Book: Computer Forensics and Investigations. Bill Nelson et al, Topics include:

- Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,

Outline of the Course

Introduction to Data and Applications Security and Digital Forensics

SECTION 1: Computer Forensics Part I: Background on Information Security Part II: Computer Forensics Overview

- Chapters 1, 2, 3, 4, 5 Part III: Computer Forensics Tools, File systems

- Chapters 6, 7, 8 Part IV: Computer Forensics Analysis

- Chapters 9, 10 Part V Applications

- Chapters 11, 12, 13

Outline of the Course

Part VI: Expert Witness

- Chapters 14, 15, 16

Additional Topics for Exam #1 and Part 1 of class

- Data Mining Malware, Insider Threat, Author Attribution

- Selective Publication of Digital Evidence

- Guest lecture on Frankenstein

Outline of the Course

SECTION II

- Selected Papers from Digital Forensics Research Workshop as well as some other publications

- Cloud computing and forensics

- Dr. Lin’s lecture on Reverse engineering for Forensics

- GIAC Certified Forensics Examination Review What we have covered + Log analysis, registry

analysis, windows artifacts analysis, mobile system forensics, browser forensics

Guest Lectures

- Richardson Police Department

- North Texas FBI (Friday afternoon)

- Digital Forensics Company in DFW area

Course Work

Two exams 20 points each Term paper 12 points Programming project: 20 points Digital Forensics project: 16 points Four assignments each worth 8 points, total: 32 points

Tentative Schedule

Assignment #1 due date: September 20, 2013 Assignment #2: due date: September 27, 2013 Term paper #1: October 11, 2012 Exam #1: October 18, 2013 Assignment #3: October 25, 2012 – November 1, 2013 Assignment #4: November 1, 2013 – November 8, 2103 Digital Forensics Project: November 15, 2012 Programming Project: November 22, 2012 Exam #2: December 13, 2013

Term Paper Outline

Abstract Introduction Analyze algorithms, Survey, - - - Give your opinions Summary/Conclusions

Term Paper Guidelines

Around 5 pages, single spaced, 12 point , time roman font

Take any topic related to forensics – e.g., crime scene analysis, file system forensics

Abstract and Introduction – 1 page

Discuss some of the techniques for that particular topic – 2 pages

Give an analysis of these techniques – 1 page

Conclusion – half a page

References – list all the references

Programming/Digital Forensics Projects –

Encase evaluation Develop a system/simulation related to digital forensics

- Intrusion detection

- Ontology management for digital forensics

- Representing digital evidence in XML

- Search for certain key words

Course Rules

Unless special permission is obtained from the instructor, each student will work individually

Copying material from other sources will not be permitted unless the source is properly referenced

Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department

Assignments for the Class: Hands-on projects from the text book

Assignments #1

- Chapter 2: 2.1, 2.2, 2.3 Assignment #2

- Chapter 4: 4.1, 4.2

- Chapter 5: 5.1, 5.2 Assignment #3

- Chapter 9: 9-1, 9-2

- Chapter 10: 10-1 Assignment #4

- Chapter 12: 12-1, 12-2 , 12-3

Papers to Read for Exam #1

September 20Author Attribution

Large-scale Plagiarism Detection and Authorship attribution

- (1) Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications

-  http://www.cs.berkeley.edu/~dawnsong/papers/2012%20juxtapp_dimva12.pdf

(2) On the Feasibility of Internet-Scale Author Identificationhttp://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20the%20Feasibility%20of%20Internet-Scale%20Author%20Identification.pdf

September 27: Insider Threat DetectionPallabi Parveen, Nate McDaniel, Varun S. Hariharan,

Bhavani M. Thuraisingham, Latifur Khan: Unsupervised Ensemble Based Learning for Insider Threat Detection. SocialCom/PASSAT 2012: 718-727

Papers to Read for Exam #1

October 4: Secure publication of digital evidence (in XML)- Secure XML Publishing

Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004)

The proofs and the math are not needed

October 11: Secure publication of digital evidence (in XML)- https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.

pdf

- Network Forensics Analysis with Evidence Graph

Index to lectures for Exam #1 Lecture #1: Digital Forensics (8/30/2013) (extra credit) Lecture #2: Cyber Security Modules (8/30/2013) (not included in the

exam) Lecture #3: Data Mining for Malware detection Lecture 4: Adaptive malware (not included in the exam) Lecture 5: Data mining (not included in exam) Lecture 6: Data recovery, evidence collection, preservation Lecture 7: Data acquisition, processing crime scenes, DF analysis Lecture 8: File systems and forensics tools Lecture 9: Validation and recovery of graphic files, Steganography Lecture 10: Network and application forensics Lecture 11: Expert witness and report writing Lecture 12: Plagiarism Detection and Author Attribution (Anduleep’s

lecture)

Index to lectures for Exam #1

Lecture #13 Unsupervised ensemble-based learning for insider threat (Nate’s lecture)

Lecture 14: Secure publishing of XML data (digital evidence) Lecture 15 : Frankenstein guest lecture (not included in exam)

NOTE: You need to understand the main concepts of the lectures, the book and the papers for the exam. You can skip the math details and the detailed algorithms

Papers to Read for Exam #2 (October 25)Database Forensics

http://www.cs.arizona.edu/people/rts/publications.html#auditing

Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515.

- Tamper Detection in Audit Logs Did the problem occur? (e.g. similar to intrusion detection)

Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006.

Who caused the problem (e.g., similar to digital forensics analysis)

Papers to Read for Exam #2 November 1, 2013 XIRAF – XML-based indexing and querying for digital forensics

- http://dfrws.org/2006/proceedings/7-Alink.pdf Selective and intelligent imaging using digital evidence bags

- http://dfrws.org/2006/proceedings/8-Turner.pdf (Ryan) Detecting false captioning using common-sense reasoning (James)

- http://dfrws.org/2006/proceedings/9-Lee.pdf Forensic feature extraction and cross-drive analysis

- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf A correlation method for establishing provenance of timestamps in

digital evidence (Raul)

- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf FORZA – Digital forensics investigation framework that incorporate

legal issues (Eric)

- http://dfrws.org/2006/proceedings/4-Ieong.pdf

Papers to Read for Exam #2 November 8, 2013

A cyber forensics ontology: Creating a new approach to studying cyber forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf (Grace)

Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem (Eric)

http://dfrws.org/2006/proceedings/6-Harris.pdf Advanced Evidence Collection and Analysis of Web Browser Activity",

Junghoon Oh, Seungbong Lee and Sangjin Lee (David) http://www.dfrws.org/2011/proceedings/12-344.pdf

Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. (Pedro)

http://www.dfrws.org/2010/proceedings/2010-311.pdf Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano,

Gianluigi Me and Francesco Pace. (Daun)

http://www.dfrws.org/2010/proceedings/2010-310.pdf

Papers to Read for Exam #2 November 8, 2013

"An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) (Jason)

http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf

"A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) (Garrett)

http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf

"Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) (Ryan) http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf

Index to lectures for Exam #2

Lecture 16: Secure Cloud Computing Lecture 17 – Virtualization Security Lecture 18 – Database Tampering – Thuraisingham Lecture 19 – Guest Lecture – Memory Forensics Lecture 20 – Guest Lecture – Mobile phone forensics Lecture 21 – Some digital Topics for GCFE Lecture 22 – Database Tampering - Byrd Lecture 23 – Database Tampering – Raul Lecture 24 - Selective and Intelligent Imaging Using Digital

Evidence Bags – Ryan Lecture 25 – Cyber Forensics Ontology Lecture 26 – Android Forensics - Daun

Index to lectures for Exam #2

Lecture 27: Detecting False Captioning – Byrd Lecture 28 – Timeline Reconstruction Lecture 29 – Bin Carver Lecture 30 - Arriving at an anti-forensics consensus Lecture 31 – Guest Lecture – Space Traveler Lecture 32 – P2P Investigation Lecture 33 – Forza Framework Lecture 34 - Advance evidence collection and analysis of web

browser activity Lecture 35 - XIRAF – XML-based indexing and querying for digital

forensics

Lectures: November 15 and 22

November 15: Guest Lecture: Mobile phone forensics GCFE Exam topics (High Level) Review for exam

November 22 Guest Lecture VM Space Traveler XIRAF paper Review for exam

December 6th and 13th

December 6 Tour of FBI Lab

December 13 Exam #2

Contacts: Instructor

- Dr. Bhavani Thuraisingham

- Louis Beecherl Distinguished Professor of Computer Science

- Executive Director of the Cyber Security Research and Education Institute

- Erik Jonsson School of Engineering and Computer Science

- The University of Texas at Dallas Richardson, TX 75080

- Phone: 972-883-4738

- Fax: 972-883-2399

- Email: bhavani.thuraisingham@utdallas.edu

- URL:http://www.utdallas.edu/~bxt043000/

Contacts: Teaching Assistant

Mohammed Iftekhar mxi110930@utdallas.edu

Teaching AssistantComputer SciencePhD, Computer ScienceErik Jonsson Sch of Engr & Com