Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
August 30, 2013
Outline of the Unit
Objective of the Course Outline of the Course Course Work Course Rules Contact
- Text Book: Guide to Computer Forensics and Investigations
- Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart
- Thompson Course Technology
Objective of the Course
The course describes concepts, developments, challenges, and directions in Digital Forensics.
Text Book: Computer Forensics and Investigations. Bill Nelson et al, Topics include:
- Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,
Outline of the Course
Introduction to Data and Applications Security and Digital Forensics
SECTION 1: Computer Forensics Part I: Background on Information Security Part II: Computer Forensics Overview
- Chapters 1, 2, 3, 4, 5 Part III: Computer Forensics Tools, File systems
- Chapters 6, 7, 8 Part IV: Computer Forensics Analysis
- Chapters 9, 10 Part V Applications
- Chapters 11, 12, 13
Outline of the Course
Part VI: Expert Witness
- Chapters 14, 15, 16
Additional Topics for Exam #1 and Part 1 of class
- Data Mining Malware, Insider Threat, Author Attribution
- Selective Publication of Digital Evidence
- Guest lecture on Frankenstein
Outline of the Course
SECTION II
- Selected Papers from Digital Forensics Research Workshop as well as some other publications
- Cloud computing and forensics
- Dr. Lin’s lecture on Reverse engineering for Forensics
- GIAC Certified Forensics Examination Review What we have covered + Log analysis, registry
analysis, windows artifacts analysis, mobile system forensics, browser forensics
Guest Lectures
- Richardson Police Department
- North Texas FBI (Friday afternoon)
- Digital Forensics Company in DFW area
Course Work
Two exams 20 points each Term paper 12 points Programming project: 20 points Digital Forensics project: 16 points Four assignments each worth 8 points, total: 32 points
Tentative Schedule
Assignment #1 due date: September 20, 2013 Assignment #2: due date: September 27, 2013 Term paper #1: October 11, 2012 Exam #1: October 18, 2013 Assignment #3: October 25, 2012 – November 1, 2013 Assignment #4: November 1, 2013 – November 8, 2103 Digital Forensics Project: November 15, 2012 Programming Project: November 22, 2012 Exam #2: December 13, 2013
Term Paper Outline
Abstract Introduction Analyze algorithms, Survey, - - - Give your opinions Summary/Conclusions
Term Paper Guidelines
Around 5 pages, single spaced, 12 point , time roman font
Take any topic related to forensics – e.g., crime scene analysis, file system forensics
Abstract and Introduction – 1 page
Discuss some of the techniques for that particular topic – 2 pages
Give an analysis of these techniques – 1 page
Conclusion – half a page
References – list all the references
Programming/Digital Forensics Projects –
Encase evaluation Develop a system/simulation related to digital forensics
- Intrusion detection
- Ontology management for digital forensics
- Representing digital evidence in XML
- Search for certain key words
Course Rules
Unless special permission is obtained from the instructor, each student will work individually
Copying material from other sources will not be permitted unless the source is properly referenced
Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department
Assignments for the Class: Hands-on projects from the text book
Assignments #1
- Chapter 2: 2.1, 2.2, 2.3 Assignment #2
- Chapter 4: 4.1, 4.2
- Chapter 5: 5.1, 5.2 Assignment #3
- Chapter 9: 9-1, 9-2
- Chapter 10: 10-1 Assignment #4
- Chapter 12: 12-1, 12-2 , 12-3
Papers to Read for Exam #1
September 20Author Attribution
Large-scale Plagiarism Detection and Authorship attribution
- (1) Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications
- http://www.cs.berkeley.edu/~dawnsong/papers/2012%20juxtapp_dimva12.pdf
(2) On the Feasibility of Internet-Scale Author Identificationhttp://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20the%20Feasibility%20of%20Internet-Scale%20Author%20Identification.pdf
September 27: Insider Threat DetectionPallabi Parveen, Nate McDaniel, Varun S. Hariharan,
Bhavani M. Thuraisingham, Latifur Khan: Unsupervised Ensemble Based Learning for Insider Threat Detection. SocialCom/PASSAT 2012: 718-727
Papers to Read for Exam #1
October 4: Secure publication of digital evidence (in XML)- Secure XML Publishing
Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004)
The proofs and the math are not needed
October 11: Secure publication of digital evidence (in XML)- https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.
- Network Forensics Analysis with Evidence Graph
Index to lectures for Exam #1 Lecture #1: Digital Forensics (8/30/2013) (extra credit) Lecture #2: Cyber Security Modules (8/30/2013) (not included in the
exam) Lecture #3: Data Mining for Malware detection Lecture 4: Adaptive malware (not included in the exam) Lecture 5: Data mining (not included in exam) Lecture 6: Data recovery, evidence collection, preservation Lecture 7: Data acquisition, processing crime scenes, DF analysis Lecture 8: File systems and forensics tools Lecture 9: Validation and recovery of graphic files, Steganography Lecture 10: Network and application forensics Lecture 11: Expert witness and report writing Lecture 12: Plagiarism Detection and Author Attribution (Anduleep’s
lecture)
Index to lectures for Exam #1
Lecture #13 Unsupervised ensemble-based learning for insider threat (Nate’s lecture)
Lecture 14: Secure publishing of XML data (digital evidence) Lecture 15 : Frankenstein guest lecture (not included in exam)
NOTE: You need to understand the main concepts of the lectures, the book and the papers for the exam. You can skip the math details and the detailed algorithms
Papers to Read for Exam #2 (October 25)Database Forensics
http://www.cs.arizona.edu/people/rts/publications.html#auditing
Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515.
- Tamper Detection in Audit Logs Did the problem occur? (e.g. similar to intrusion detection)
Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006.
Who caused the problem (e.g., similar to digital forensics analysis)
Papers to Read for Exam #2 November 1, 2013 XIRAF – XML-based indexing and querying for digital forensics
- http://dfrws.org/2006/proceedings/7-Alink.pdf Selective and intelligent imaging using digital evidence bags
- http://dfrws.org/2006/proceedings/8-Turner.pdf (Ryan) Detecting false captioning using common-sense reasoning (James)
- http://dfrws.org/2006/proceedings/9-Lee.pdf Forensic feature extraction and cross-drive analysis
- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf A correlation method for establishing provenance of timestamps in
digital evidence (Raul)
- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf FORZA – Digital forensics investigation framework that incorporate
legal issues (Eric)
- http://dfrws.org/2006/proceedings/4-Ieong.pdf
Papers to Read for Exam #2 November 8, 2013
A cyber forensics ontology: Creating a new approach to studying cyber forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf (Grace)
Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem (Eric)
http://dfrws.org/2006/proceedings/6-Harris.pdf Advanced Evidence Collection and Analysis of Web Browser Activity",
Junghoon Oh, Seungbong Lee and Sangjin Lee (David) http://www.dfrws.org/2011/proceedings/12-344.pdf
Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. (Pedro)
http://www.dfrws.org/2010/proceedings/2010-311.pdf Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano,
Gianluigi Me and Francesco Pace. (Daun)
http://www.dfrws.org/2010/proceedings/2010-310.pdf
Papers to Read for Exam #2 November 8, 2013
"An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) (Jason)
http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf
"A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) (Garrett)
http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf
"Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) (Ryan) http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf
Index to lectures for Exam #2
Lecture 16: Secure Cloud Computing Lecture 17 – Virtualization Security Lecture 18 – Database Tampering – Thuraisingham Lecture 19 – Guest Lecture – Memory Forensics Lecture 20 – Guest Lecture – Mobile phone forensics Lecture 21 – Some digital Topics for GCFE Lecture 22 – Database Tampering - Byrd Lecture 23 – Database Tampering – Raul Lecture 24 - Selective and Intelligent Imaging Using Digital
Evidence Bags – Ryan Lecture 25 – Cyber Forensics Ontology Lecture 26 – Android Forensics - Daun
Index to lectures for Exam #2
Lecture 27: Detecting False Captioning – Byrd Lecture 28 – Timeline Reconstruction Lecture 29 – Bin Carver Lecture 30 - Arriving at an anti-forensics consensus Lecture 31 – Guest Lecture – Space Traveler Lecture 32 – P2P Investigation Lecture 33 – Forza Framework Lecture 34 - Advance evidence collection and analysis of web
browser activity Lecture 35 - XIRAF – XML-based indexing and querying for digital
forensics
Lectures: November 15 and 22
November 15: Guest Lecture: Mobile phone forensics GCFE Exam topics (High Level) Review for exam
November 22 Guest Lecture VM Space Traveler XIRAF paper Review for exam
December 6th and 13th
December 6 Tour of FBI Lab
December 13 Exam #2
Contacts: Instructor
- Dr. Bhavani Thuraisingham
- Louis Beecherl Distinguished Professor of Computer Science
- Executive Director of the Cyber Security Research and Education Institute
- Erik Jonsson School of Engineering and Computer Science
- The University of Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: [email protected]
- URL:http://www.utdallas.edu/~bxt043000/
Contacts: Teaching Assistant
Mohammed Iftekhar [email protected]
Teaching AssistantComputer SciencePhD, Computer ScienceErik Jonsson Sch of Engr & Com