ISA 785: Research in Digital Forensics - Spring 2015

[Bibliography] [Class Schedule] [Available Projects]


Instructor: Angelos Stavrou
Lecture: Monday 7:20pm - 10:00pm
Room:
Nguyen Engineering Building 5358 [Campus Map]
Office Hours: Monday 4:30pm - 7:00pm and by appointment
Office: Research I, Rm 437
Email: astavrou()gmu.edu

Course Description:

This class will be focused on current research and challenges in Digital Forensics including:

  • Principles, Techniques, Tools used in Digital Forensics
  • Computer and Network Forensic Analysis
  • Forensics for Mobile Devices
Class Objectives

This course offers an in depth introduction to the principles, techniques, tools and current practices used in digital forensics including latest research advances. By the end of the course, students will gain experience in:

  • Principles and Techniques for Digital Forensics
  • Understand the established procedures in Digital Evidence Identification, Extraction, Preservation, Correlation, Analysis and Presentation
  • Apply Existing Tools to conduct Forensics Duplication and analysis
  • Understand the specific technical challenges in conducting Digital Forensics
  • Countermeasures and Caveats of Digital forensics
  • Common Legal and Ethical issues in Digital Forensics

Prerequisites:

CS 571 (Operating Systems), CS 555 (Computer Networks), and ISA 562 (Information Security Theory & Practice); or permission of instructor. The coursework will include substantial programming projects; in order to be able to complete the projects, the students must be comfortable with Java or another programming language.

Bibliography:

Required: [TextBook available online for GMU students]
Incident Response & Computer Forensics, Third Edition
by Kevin Mandia, Matthew Pepe, Jason Luttgens

Publisher: McGraw-Hill Osborne Media Published: August 2014
ISBN-13: 978-0071798686 ISBN-10: 0071798684
[Online for GMU] [Amazon]

On the course web page you will also find assigned reading from on-line articles, law opinions, and research publications. I will also have supplementary materials on reserve or handed out during class. Although we will not read the entire Carrier book, and we will use it for only a portion of the class, it cannot be replaced with other materials.

Recommended: [TextBook available online for GMU students]
File System Forensic Analysis by Brian Carrier.
Addison-Wesley Professional, (March 27, 2005) ISBN-13: 9780321268174
[Online for GMU] [Pearson] [Amazon]

Grading:
  • Class Projects: 80%
  • Class Presentations: 15%
  • Class Participation: 5%
  • No Midterm or Final

The students must achieve a total score of at least 90 (out of 100) to be considered for an A. This class is an advanced graduate-level class and is geared towards understanding the fundamental concepts behind Digital Forensics. The students will be expected to participate in large projects under the guidance of the instructor.

Computer Accounts:

All students should have accounts on the central Mason Unix system mason.gmu.edu (also known as osf1.gmu.edu)
and on IT&E Unix cluster zeus.ite.gmu.edu (Instructions and related links are here). Please read the FAQ if you have any questions. Students can work in IT&E computer labs for programming projects during the specified hours.

Honor Code:

Please read and adhere to the University's Academic Honesty Page, GMU Honor Code, CS Department Honor Code

Disability Statement
If you have a documented learning disability or other condition that may affect academic performance you should:
1) Make sure this documentation is on file with the Office of Disability Services.
All academic accommodations must be arranged through the ODS. http://ods.gmu.edu
2) Talk with me to discuss your accommodation needs.


Other Usefull Resources


Writing Center:
A114 Robinson Hall; (703) 993-1200; http://writingcenter.gmu.edu
University Libraries: “Ask a Librarian” http://library.gmu.edu/mudge/IM/IMRef.html
Counseling and Phychological Services (CAPS): (703) 993-2380; http://caps.gmu.edu
University Policies: The University Catalog, http://catalog.gmu.edu, is the central resource
for university policies affecting student, faculty, and staff conduct in university affairs.


Class Schedule

Week & Date
Course Lectures & Readings (Tentative)

Week 1, Jan 26

Intro & Class Mechanics [PDF]

Week 1, Feb 2

Modern Digital Forensics [PDF]

Readings:

- US DoJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement

- US DoJ: Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Week 2, Feb 9

Introduction to Mobile (Android) Systems [PDF]

Android Provisioning/Rooting Device Resources
Cyanogenmod on HTC Desire - provisioning tutorial [link]


Setting up Android developer environment tutorial [link]


Articles & Readings

Electronic Frontier Foundation Mobile Tracking [link]


Device Squad: The story behind the FTC's first case against a mobile device maker [link]


Fandango, Credit Karma Settle FTC Charges that They Deceived Consumers By Failing to Securely Transmit Sensitive Personal Information [link]

Android Programming Resources
Google Android SDK [HTML]
Developer's Guide [HTML]
Android Emulator [HTML]
Android Debug Bridge [HTML]

Security Enforcement in Mobile Devices
[PDF]
Android Programming Model using HTML for the UI [HTML]
IBM's Tapping into Android Sensors' Page [HTML]

Week 3, Feb 16
Class cancelled due to inclement weather
Week 4, Feb 23

Project I Discussion - Teams

Background Basics: Operating Systems, Computer Networks
Review of basic concepts of data representation, Application Specific Forensics,
Data recovery versus Forensic Investigations (from the book)
Readings: B. Carrier exbook Chapters 2, 3, 4

Introduction to File System Forensics & Data Hiding
[Unix File System Primer] [TSK Overview and Automated Scanning, Brian Carrier]
Readings: B. Carrier Texbook Chapter 5, 14


Bell, G.B. and Boddington, R. (2010) Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Journal of Digital Forensics, Security and Law, 5 (3). pp. 1-20.

Week 6, March 2

Class will start at 6:45pm

LAB: Open Source Digital Forensics Tools (I)

C
ERT Forensic Tools [Link]

CERT Digital Intelligence and Investigation Tools [Link]

Network Forensics - Challenges and Open Problems [PDF]

Readings:

  1. Passive Network Forensics: Behavioural Classification of Network Hosts Based
    on Connection Patterns, John McHugh et. al. [ACM] [PDF]
  2. New Payload Attribution Methods for Network Forensic Investigations,
    Miroslav Ponec et. al. [PDF]
  3. Forensic carving of network packets and associated data structures,
    Simson Garfinkel et. al. [PDF]
Discuss Network wide scenario reconstruction, Trace-Back
Week 7, March 9

Spring Break

Week 8, March 16

Memory Forensics & Anti-Forensics - the value of Digital Evidence:

Lab Instructions [html]

- Finding Digital Evidence In Physical Memory, Mariusz Burdach, BH06 [PDF]

- Physical Memory Forensics for Files and Cache, Jamie Butler and Justin Murdock, BH11 [PDF]

- Anti-Forensics, The Rootkit Connection, Bill Blunden, BH09 [PDF]


Week 9, March 23

Project I Presentations

Week 10, March 30

Steganography, Steganalysis, & Information Hiding

Steganography, Steganalysis, & Cryptanalysis, Michael T. Raggo,VeriSign [PDF]

Hide and Seek: An Introduction to Steganography, Niels Provos et al. [PDF]

Steganography and Steganalysis: Different Approaches, Soumyendu Das et al. [PDF]

Week 11, April 6

Cloud Forensics

NIST IR 8006 DRAFT NIST Cloud Computing Forensic Science Challenges [PDF]

Articles: Dropbox, Document Tracking
Project I writeups are Due

Week 12, April 13

Steganography, Steganalysis, & Information Hiding II

Image Steganography & Steganalysis [PDF]

- Steganography Capacity: A Steganalysis Perspective [PDF]
R. Chandramoulia and N.D. Memon

- Blind Statistical Steganalysis of Additive Steganography Using Wavelet Higher Order Statistics
[PDF]
Taras Holotyak et al.

Week 14, April 20

Project Discussions


Week 15, April 27

Class Recap and Discussion Lessons Learned

Blackhat 2014: "GRR: Find all the badness, collect all the things" slides

Week 16, May 4

Final Project Presentations (Each team, discussion)

Project II writeup is Due
Home -  Publications - Teaching - CV - Contact

Last updated:
Please feel free to send your comments and suggestions to Angelos Stavrou.
© 2015 Angelos Stavrou, Computer Science Department, George Mason University.