Meeting Times |
Days: Tuesdays and Thursdays at 11am
Location: FB331
Description |
This course focuses on topics in cyber forensics. The course is structured as a seminar where students jointly discuss selected papers and implement some of the ideas set forth in these papers. Introduction to Computer Security (COMP535) or equivalent is required as a prerequisite before taking this course. It is expected that students have good familiarity with Operating Systems concepts (e.g., memory management, processes, file systems). In addition, familiarity with low-level systems programming (e.g., C and assembly) will be necessary for understanding the details of some of the assigned readings, and will be helpful in completing the in-class exercises (example, on malware analysis).
Course Project |
The course project will involve validating ideas covered in one or more papers/topics discussed in class. For the most part, the project will entail extending an existing framework (mostly using Volatility) to assess the feasibility of ideas suggested from a myriad of sources (e.g., textbooks, academic papers, blog posts). Topics include memory acquisition, process memory internals, disk and file system artifacts, network artifacts, event reconstruction, time-line analysis, and malware forensics. The course project involves extending the (short) programming exercises given throughout the course. Several ideas for potential projects will be suggested (based on the list of papers below), but students are encouraged to work on topics that they are passionate about. Think of the course project as designing a lablet (with exercises) that would be suitable for students taking Comp535. Your lablet will be graded by your peers.
Readings and Presentations |
Students are required to read the material assigned during the semester and be able to competently discuss the material in class. Students will be required to use a version control system (git) for sharing the solutions to the assigned tasks and explaining how they solved a given task.
Office Hours |
Thursday 2pm-3:30 and by appointment.
Mailing List |
Registered students will automatically be added to the course mailing list.
Grading |
This is intended to be an INTERACTIVE class, and as such, class participation will play a significant role in the course grading criteria. (If you've taken COMP535 with me, then you know what I mean!) Students will be graded on the how well they present the solutions to the rest of the class, their participation in discussions, and their course project. Tentative weights for the grading are as follows:
Deliverable | Grade |
Programming tasks and in-class explanations | 25% |
Course Project | 50% |
Class participation | 25% |
Books and supplemental readings |
Date |
Topic | ||||||||||||||||||||
Week 1 |
Course Introduction, objectives, project discussion Week 2 |
Week 3 |
Forensic Memory Analysis - Files Mapped in Memory Wouter Alink and Alex van Ballegooij, 2008. In class exercise #1, parts 1 and 2 related readings: Forensic Analysis of Video File Formats , Thomas Gloe, Andre Fischer and Matthias Kirchner, 2014. Chapters 7 of AMF. Check out this video that introduces some neat extensions done with Volatility. Week 4 |
Flesh on the bone: detecting ROP-based malware Kevin Snow et al. Just-in-time code attacks. Related: Refresher on stackbased labs from comp535 (on your own).in class exercise #1, part 3
Week 5 - Away for RAID'16 conference |
/p>
Extended Memory Analysis: In-class exercise #2, parts 1 and 2. Week 6 |
Week 7 |
TLSkex: Harnessing Virtual Machine Introspection for Decrypting TLS Communication Benjamin Taubmann, Christoph Freidrich, Dominik Dusold and Hans Reiser, 2016. related reading:
In class exercise #3. Weeks 8,9 |
Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification Ahmadi et al, 2016. Note: do not download the Kaggle dataset -- we already have a copy on the class VMs Related reading:
Week 10 |
Live Honeynet Analysis and Forensic challenges
Related: The Honeynet Project Challenges. Chapter 8 of AMF. Week 11 |
Week 12 |
|