Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 29, 2014
Outline of the Unit l Objective of the Course l Outline of the Course l Course Work l Course Rules l Contact - Text Book: Guide to Computer Forensics and Investigations - Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart - Thompson Course Technology
Objective of the Course l The course describes concepts, developments, challenges, and directions in Digital Forensics. l Text Book: Computer Forensics and Investigations. Bill Nelson et al, l Topics include: - Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,
Outline of the Course l Introduction to Data and Applications Security and Digital Forensics l SECTION 1: Computer Forensics l Part I: Background on Information Security l Part II: Computer Forensics Overview Chapters 1, 2, 3, 4, 5 l Part III: Computer Forensics Tools, File systems Chapters 6, 7, 8 l Part IV: Computer Forensics Analysis Chapters 9, 10 l Part V Applications Chapters 11, 12, 13 -
Outline of the Course l Part VI: Expert Witness - Chapters 14, 15, 16 l Additional Topics for Exam #1 and Part 1 of class - Data Mining Malware, Insider Threat, Author Attribution - Selective Publication of Digital Evidence - Guest lecture on Frankenstein
Outline of the Course l SECTION II - Selected Papers from Digital Forensics Research Workshop as well as some other publications Cloud computing and forensics Dr. Lin’s lecture on Reverse engineering for Forensics GIAC Certified Forensics Examination Review l What we have covered + Log analysis, registry analysis, windows artifacts analysis, mobile system forensics, browser forensics l Guest Lectures Richardson Police Department North Texas FBI Digital Forensics Company in DFW area - -
Course Work l Two exams 20 points each l Term paper 8 points l Programming project: 14 points l Digital Forensics project: 10 points l Four assignments each worth 6 points, total: 24 points l Paper presentation: 4 points
Assignments for the Class: Hands-on projects from the text book l Assignments #1 - Chapter 2: 2. 1, 2. 2, 2. 3 l Assignment #2 - Chapter 4: 4. 1, 4. 2 - Chapter 5: 5. 1, 5. 2 l Assignment #3 - Chapter 9: 9 -1, 9 -2 - Chapter 10: 10 -1 l Assignment #4 - Chapter 12: 12 -1, 12 -2 , 12 -3
Tentative Schedule l Assignment #1 due date: September 26, 2014 l Assignment #2: due date: October 10, 2014 l Term paper: October 24, 2014 l Exam #1: October 17, 2014 l Assignment #3: October 31, 2014 l Assignment #4: November 7, 2014 l Digital Forensics Project: November 14, 2014 l Programming Project: November 21, 2014 l Exam #2: TBD – Likely December 5, 2014
Term Paper Outline l Abstract l Introduction l Analyze algorithms, Survey, - - l Give your opinions l Summary/Conclusions
Term Paper Guidelines l Around 5 pages, single spaced, 12 point , time roman font l Take any topic related to forensics – e. g. , crime scene analysis, file system forensics l Abstract and Introduction – 1 page l Discuss some of the techniques for that particular topic – 2 pages l Give an analysis of these techniques – 1 page l Conclusion – half a page l References – list all the references
Programming/Digital Forensics Projects – l Encase evaluation l Develop a system/simulation related to digital forensics - Intrusion detection - Ontology management for digital forensics - Representing digital evidence in XML - Search for certain key words
Papers to Read for Exam #1 l September 26 l Author Attribution Large-scale Plagiarism Detection and Authorship attribution - (1) Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications - http: //www. cs. berkeley. edu/~dawnsong/papers/2012%20 juxtapp _dimva 12. pdf (2) On the Feasibility of Internet-Scale Author Identification http: //www. cs. berkeley. edu/~dawnsong/papers/2012%20 On%20 t he%20 Feasibility%20 of%20 Internet. Scale%20 Author%20 Identification. pdf
Papers to Read for Exam #1 l September 19: Secure publication of digital evidence (in XML) Secure XML Publishing - l Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third. Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263 -1278 (2004) l The proofs and the math are not needed l September 26: Network Forensics https: //www. dfrws. org/2005/proceedings/wang_evidencegraphs. pdf - - Network Forensics Analysis with Evidence Graph
Index to lectures for Exam #1 l Lecture #1: Digital Forensics (8/29/2014) (extra credit) l Lecture #2: Cyber Security Modules (8/29/2014) (not included in the exam) l Lecture 3: Adaptive malware (not included in the exam) l Lecture #4: Data Mining for Malware detection l Lecture 5: Data mining (not included in exam) l Lecture 6: Data recovery, evidence collection, preservation l Lecture 7: Data acquisition, processing crime scenes, DF analysis l Lecture 8: File systems and forensics tools l Lecture 9: Validation and recovery of graphic files, Steganography l Lecture 10: Secure Publication of Digital Evidence l Lecture 11: Network and application forensics l Lecture 12: Plagiarism Detection and Author Attribution (TA’s lecture)
Index to lectures for Exam #1 l Lecture 13: Expert Witness and Report Writing l Lecture 14 : Secure Cloud Computing (not included in exam) l Lecture 15 Cloud Forensics NOTE: You need to understand the main concepts of the lectures, the book and the papers for the exam. You can skip the math details and the detailed algorithms
Papers to discuss in class (October 24) Database Forensics l http: //www. cs. arizona. edu/people/rts/publications. html#auditing l Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs, " In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August– September 2004, pp. 504– 515. - Tamper Detection in Audit Logs l Did the problem occur? (e. g. similar to intrusion detection) l Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering, " in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109 -120, Chicago, June, 2006. l Who caused the problem (e. g. , similar to digital forensics analysis)
Papers to discuss in class October 31, 2014 l XIRAF – XML-based indexing and querying for digital forensics - http: //dfrws. org/2006/proceedings/7 -Alink. pdf l Selective and intelligent imaging using digital evidence bags - http: //dfrws. org/2006/proceedings/8 -Turner. pdf l Detecting false captioning using common-sense reasoning - http: //dfrws. org/2006/proceedings/9 -Lee. pdf l Forensic feature extraction and cross-drive analysis - http: //dfrws. org/2006/proceedings/10 -Garfinkel. pdf l A correlation method for establishing provenance of timestamps in digital evidence http: //dfrws. org/2006/proceedings/13 -%20 Schatz. pdf l FORZA – Digital forensics investigation framework that incorporate legal issues (Eric) http: //dfrws. org/2006/proceedings/4 -Ieong. pdf -
Papers to discuss in class October 31/Nov 7, 2014 l A cyber forensics ontology: Creating a new approach to studying cyber forensics http: //dfrws. org/2006/proceedings/5 -Brinson. pdf l Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http: //www. dfrws. org/2011/proceedings/12 -344. pdf l Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http: //www. dfrws. org/2010/proceedings/2010 -311. pdf l Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace. http: //www. dfrws. org/2010/proceedings/2010 -310. pdf l An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) l http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -8. pdf
Papers to discuss in class October 31/Nov 7, 2014 l "A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -6. pdf l Towards a General Collection Methodology for Android Devices", Timothy Vidas, Chengye Zhang and Nicolas Christin http: //www. dfrws. org/2011/proceedings/07 -339. pdf l Distributed Forensics and Incident Response in the enterprise", Michael Cohen, Darren Bilby and Germano Caronni http: //www. dfrws. org/2011/proceedings/16 -348. pdf l Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -12. pdf
Papers to read for Exam #2 l http: //www. cs. arizona. edu/people/rts/publications. html#auditing l Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs, " In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August– September 2004, pp. 504– 515. - Tamper Detection in Audit Logs l Did the problem occur? (e. g. similar to intrusion detection) l Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering, " in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109 -120, Chicago, June, 2006. l Who caused the problem (e. g. , similar to digital forensics analysis)
Papers to read for Exam #2 l XIRAF – XML-based indexing and querying for digital forensics - http: //dfrws. org/2006/proceedings/7 -Alink. pdf l Selective and intelligent imaging using digital evidence bags - http: //dfrws. org/2006/proceedings/8 -Turner. pdf l Detecting false captioning using common-sense reasoning - http: //dfrws. org/2006/proceedings/9 -Lee. pdf l Forensic feature extraction and cross-drive analysis - http: //dfrws. org/2006/proceedings/10 -Garfinkel. pdf l A correlation method for establishing provenance of timestamps in digital evidence http: //dfrws. org/2006/proceedings/13 -%20 Schatz. pdf l Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http: //www. dfrws. org/2011/proceedings/12 -344. pdf
Papers to read for exam #2 l Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http: //www. dfrws. org/2010/proceedings/2010 -311. pdf l "A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -6. pdf l Distributed Forensics and Incident Response in the enterprise", Michael Cohen, Darren Bilby and Germano Caronni http: //www. dfrws. org/2011/proceedings/16 -348. pdf l Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -12. pdf
Papers for Extra credit questions for exam #2 l A cyber forensics ontology: Creating a new approach to studying cyber forensics http: //dfrws. org/2006/proceedings/5 -Brinson. pdf l An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) http: //www. dfrws. org/2012/proceedings/DFRWS 2012 -8. pdf
Index to lectures for Exam #2 l We only had one lecture on database forensics part of lectures discussed on October 24, 2014. It is posted on Lecture #19. This material will be included in the exam and the papers are given in the reading list l All the other lectures were guest lectures including on l Virtual Machine Introspection l Mobile malware l Frankenstein l Solution to heart bleed These lectures will not be included in the exam
Course Rules l Unless special permission is obtained from the instructor, each student will work individually l Copying material from other sources will not be permitted unless the source is properly referenced l Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department
Contacts: Instructor - Dr. Bhavani Thuraisingham - Louis Beecherl Distinguished Professor of Computer Science - Executive Director of the Cyber Security Research and Education Institute - Erik Jonsson School of Engineering and Computer Science - The University of Texas at Dallas Richardson, TX 75080 - Phone: 972 -883 -4738 - Fax: 972 -883 -2399 - Email: bhavani. thuraisingham@utdallas. edu - URL: http: //www. utdallas. edu/~bxt 043000/
Contacts: Teaching Assistant l Mohammed Iftekhar l mxi 110930@utdallas. edu Teaching Assistant Computer Science Ph. D, Computer Science Erik Jonsson Sch of Engr & Com
Скачать презентацию Digital Forensics Dr Bhavani Thuraisingham The University of
5bc6e2d522a45feeeecfc7aee3643eb0.ppt