1 / 28

Digital Forensics

This course covers fundamental concepts, tools, and analysis techniques in digital forensics. Topics include computer forensics, data security, and applications. Textbook and assignments included.

jmaryellen
Download Presentation

Digital Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 29, 2014

  2. Outline of the Unit • Objective of the Course • Outline of the Course • Course Work • Course Rules • Contact • Text Book: Guide to Computer Forensics and Investigations • Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher Steuart • Thompson Course Technology

  3. Objective of the Course • The course describes concepts, developments, challenges, and directions in Digital Forensics. • Text Book: Computer Forensics and Investigations. Bill Nelson et al, • Topics include: • Digital forensics fundamentals, systems and tools, Digital forensics evidence and capture, Digital forensics analysis,

  4. Outline of the Course • Introduction to Data and Applications Security and Digital Forensics • SECTION 1: Computer Forensics • Part I: Background on Information Security • Part II: Computer Forensics Overview • Chapters 1, 2, 3, 4, 5 • Part III: Computer Forensics Tools, File systems • Chapters 6, 7, 8 • Part IV: Computer Forensics Analysis • Chapters 9, 10 • Part V Applications • Chapters 11, 12, 13

  5. Outline of the Course • Part VI: Expert Witness • Chapters 14, 15, 16 • Additional Topics for Exam #1 and Part 1 of class • Data Mining Malware, Insider Threat, Author Attribution • Selective Publication of Digital Evidence • Guest lecture on Frankenstein

  6. Outline of the Course • SECTION II • Selected Papers from Digital Forensics Research Workshop as well as some other publications • Cloud computing and forensics • Dr. Lin’s lecture on Reverse engineering for Forensics • GIAC Certified Forensics Examination Review • What we have covered + Log analysis, registry analysis, windows artifacts analysis, mobile system forensics, browser forensics • Guest Lectures • Richardson Police Department • North Texas FBI • Digital Forensics Company in DFW area

  7. Course Work • Two exams 20 points each • Term paper 8 points • Programming project: 14 points • Digital Forensics project: 10 points • Four assignments each worth 6 points, total: 24 points • Paper presentation: 4 points

  8. Assignments for the Class: Hands-on projects from the text book • Assignments #1 • Chapter 2: 2.1, 2.2, 2.3 • Assignment #2 • Chapter 4: 4.1, 4.2 • Chapter 5: 5.1, 5.2 • Assignment #3 • Chapter 9: 9-1, 9-2 • Chapter 10: 10-1 • Assignment #4 • Chapter 12: 12-1, 12-2 , 12-3

  9. Tentative Schedule • Assignment #1 due date: September 26, 2014 • Assignment #2: due date: October 10, 2014 • Term paper: October 24, 2014 • Exam #1: October 17, 2014 • Assignment #3: October 31, 2014 • Assignment #4: November 7, 2014 • Digital Forensics Project: November 14, 2014 • Programming Project: November 21, 2014 • Exam #2: TBD – Likely December 5, 2014

  10. Term Paper Outline • Abstract • Introduction • Analyze algorithms, Survey, - - - • Give your opinions • Summary/Conclusions

  11. Term Paper Guidelines • Around 5 pages, single spaced, 12 point , time roman font • Take any topic related to forensics – e.g., crime scene analysis, file system forensics • Abstract and Introduction – 1 page • Discuss some of the techniques for that particular topic – 2 pages • Give an analysis of these techniques – 1 page • Conclusion – half a page • References – list all the references

  12. Programming/Digital Forensics Projects – • Encase evaluation • Develop a system/simulation related to digital forensics • Intrusion detection • Ontology management for digital forensics • Representing digital evidence in XML • Search for certain key words

  13. Papers to Read for Exam #1 • September 26 • Author Attribution Large-scale Plagiarism Detection and Authorship attribution • (1) Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications • http://www.cs.berkeley.edu/~dawnsong/papers/2012%20juxtapp_dimva12.pdf(2) On the Feasibility of Internet-Scale Author Identificationhttp://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20the%20Feasibility%20of%20Internet-Scale%20Author%20Identification.pdf

  14. Papers to Read for Exam #1 • September 19: Secure publication of digital evidence (in XML) • Secure XML Publishing • Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M. Thuraisingham, Amar Gupta: Selective and Authentic Third-Party Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004) • The proofs and the math are not needed • September 26: Network Forensics • https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf • Network Forensics Analysis with Evidence Graph

  15. Index to lectures for Exam #1 • Lecture #1: Digital Forensics (8/29/2014) (extra credit) • Lecture #2: Cyber Security Modules (8/29/2014) (not included in the exam) • Lecture 3: Adaptive malware (not included in the exam) • Lecture #4: Data Mining for Malware detection • Lecture 5: Data mining (not included in exam) • Lecture 6: Data recovery, evidence collection, preservation • Lecture 7: Data acquisition, processing crime scenes, DF analysis • Lecture 8: File systems and forensics tools • Lecture 9: Validation and recovery of graphic files, Steganography • Lecture 10: Secure Publication of Digital Evidence • Lecture 11: Network and application forensics • Lecture 12: Plagiarism Detection and Author Attribution (TA’s lecture)

  16. Index to lectures for Exam #1 • Lecture 13: Expert Witness and Report Writing • Lecture 14 : Secure Cloud Computing (not included in exam) • Lecture 15 Cloud Forensics • NOTE: You need to understand the main concepts of the lectures, the book and the papers for the exam. You can skip the math details and the detailed algorithms

  17. Papers to discuss in class (October 24) Database Forensics • http://www.cs.arizona.edu/people/rts/publications.html#auditing • Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. • Tamper Detection in Audit Logs • Did the problem occur? (e.g. similar to intrusion detection) • Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. • Who caused the problem (e.g., similar to digital forensics analysis)

  18. Papers to discuss in class October 31, 2014 • XIRAF – XML-based indexing and querying for digital forensics • http://dfrws.org/2006/proceedings/7-Alink.pdf • Selective and intelligent imaging using digital evidence bags • http://dfrws.org/2006/proceedings/8-Turner.pdf • Detecting false captioning using common-sense reasoning • http://dfrws.org/2006/proceedings/9-Lee.pdf • Forensic feature extraction and cross-drive analysis • http://dfrws.org/2006/proceedings/10-Garfinkel.pdf • A correlation method for establishing provenance of timestamps in digital evidence • http://dfrws.org/2006/proceedings/13-%20Schatz.pdf • FORZA – Digital forensics investigation framework that incorporate legal issues (Eric) • http://dfrws.org/2006/proceedings/4-Ieong.pdf

  19. Papers to discuss in class October 31/Nov 7, 2014 • A cyber forensics ontology: Creating a new approach to studying cyber forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf • Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http://www.dfrws.org/2011/proceedings/12-344.pdf • Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http://www.dfrws.org/2010/proceedings/2010-311.pdf • Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano, Gianluigi Me and Francesco Pace. http://www.dfrws.org/2010/proceedings/2010-310.pdf • An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) • http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf

  20. Papers to discuss in class October 31/Nov 7, 2014 • "A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf • Towards a General Collection Methodology for Android Devices", Timothy Vidas, Chengye Zhang and Nicolas Christin http://www.dfrws.org/2011/proceedings/07-339.pdf • Distributed Forensics and Incident Response in the enterprise", Michael Cohen, Darren Bilby and GermanoCaronni http://www.dfrws.org/2011/proceedings/16-348.pdf • Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf

  21. Papers to read for Exam #2 • http://www.cs.arizona.edu/people/rts/publications.html#auditing • Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, August–September 2004, pp. 504–515. • Tamper Detection in Audit Logs • Did the problem occur? (e.g. similar to intrusion detection) • Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. • Who caused the problem (e.g., similar to digital forensics analysis)

  22. Papers to read for Exam #2 • XIRAF – XML-based indexing and querying for digital forensics • http://dfrws.org/2006/proceedings/7-Alink.pdf • Selective and intelligent imaging using digital evidence bags • http://dfrws.org/2006/proceedings/8-Turner.pdf • Detecting false captioning using common-sense reasoning • http://dfrws.org/2006/proceedings/9-Lee.pdf • Forensic feature extraction and cross-drive analysis • http://dfrws.org/2006/proceedings/10-Garfinkel.pdf • A correlation method for establishing provenance of timestamps in digital evidence http://dfrws.org/2006/proceedings/13-%20Schatz.pdf • Advanced Evidence Collection and Analysis of Web Browser Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http://www.dfrws.org/2011/proceedings/12-344.pdf

  23. Papers to read for exam #2 • Forensic Investigation of Peer-to-Peer File Sharing Network. Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http://www.dfrws.org/2010/proceedings/2010-311.pdf • "A General Strategy for Differential Forensic Analysis" Simson Garfinkel (Naval Postgraduate School), Alex Nelson (University of California, Santa Cruz) and Joel Young (Naval Postgraduate School) http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf • Distributed Forensics and Incident Response in the enterprise", Michael Cohen, Darren Bilby and GermanoCaronni http://www.dfrws.org/2011/proceedings/16-348.pdf • Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M University) and Bhavani Thuraisingham (University of Texas at Dallas) http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf

  24. Papers for Extra credit questions for exam #2 • A cyber forensics ontology: Creating a new approach to studying cyber forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf • An Automated Timeline Reconstruction Approach for Digital Forensic Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield University) http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf

  25. Index to lectures for Exam #2 • We only had one lecture on database forensics part of lectures discussed on October 24, 2014. It is posted on Lecture #19. This material will be included in the exam and the papers are given in the reading list • All the other lectures were guest lectures including on • Virtual Machine Introspection • Mobile malware • Frankenstein • Solution to heart bleed • These lectures will not be included in the exam

  26. Course Rules • Unless special permission is obtained from the instructor, each student will work individually • Copying material from other sources will not be permitted unless the source is properly referenced • Any student who plagiarizes from other sources will be reported to the Computer Science department and any other committees as advised by the department

  27. Contacts: Instructor • Dr. Bhavani Thuraisingham • Louis Beecherl Distinguished Professor of Computer Science • Executive Director of the Cyber Security Research and Education Institute • Erik Jonsson School of Engineering and Computer Science • The University of Texas at Dallas Richardson, TX 75080 • Phone: 972-883-4738 • Fax: 972-883-2399 • Email: bhavani.thuraisingham@utdallas.edu • URL:http://www.utdallas.edu/~bxt043000/

  28. Contacts: Teaching Assistant • Mohammed Iftekhar • mxi110930@utdallas.eduTeaching AssistantComputer SciencePhD, Computer ScienceErik Jonsson Sch of Engr & Com

More Related