Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Mining

Introduction - The University of Texas at Dallas

advertisement 
Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
August 29, 2014
Outline of the Unit
 Objective of the Course
 Outline of the Course
 Course Work
 Course Rules
 Contact
- Text Book: Guide to Computer Forensics and Investigations
- Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher
Steuart
- Thompson Course Technology
Objective of the Course
 The course describes concepts, developments, challenges, and
directions in Digital Forensics.
 Text Book: Computer Forensics and Investigations. Bill Nelson et al,
 Topics include:
- Digital forensics fundamentals, systems and tools, Digital
forensics evidence and capture, Digital forensics analysis,
Outline of the Course
 Introduction to Data and Applications Security and Digital
Forensics
 SECTION 1: Computer Forensics
 Part I: Background on Information Security
 Part II: Computer Forensics Overview
- Chapters 1, 2, 3, 4, 5
 Part III: Computer Forensics Tools, File systems
Chapters 6, 7, 8
 Part IV: Computer Forensics Analysis
- Chapters 9, 10
 Part V Applications
Chapters 11, 12, 13
-
-
Outline of the Course
 Part VI: Expert Witness
- Chapters 14, 15, 16
 Additional Topics for Exam #1 and Part 1 of class
- Data Mining Malware, Insider Threat, Author Attribution
- Selective Publication of Digital Evidence
- Guest lecture on Frankenstein
Outline of the Course
 SECTION II
- Selected Papers from
Digital Forensics Research
Workshop as well as some other publications
Cloud computing and forensics
- Dr. Lin’s lecture on Reverse engineering for Forensics
- GIAC Certified Forensics Examination Review
 What we have covered + Log analysis, registry
analysis, windows artifacts analysis, mobile system
forensics, browser forensics
 Guest Lectures
- Richardson Police Department
- North Texas FBI
Digital Forensics Company in DFW area
-
-
Course Work






Two exams 20 points each
Term paper 8 points
Programming project: 14 points
Digital Forensics project: 10 points
Four assignments each worth 6 points, total: 24 points
Paper presentation: 4 points
Assignments for the Class: Hands-on projects
from the text book
 Assignments #1
- Chapter 2: 2.1, 2.2, 2.3
 Assignment #2
- Chapter 4: 4.1, 4.2
- Chapter 5: 5.1, 5.2
 Assignment #3
- Chapter 9: 9-1, 9-2
- Chapter 10: 10-1
 Assignment #4
- Chapter 12: 12-1, 12-2 , 12-3
Tentative Schedule









Assignment #1 due date: September 26, 2014
Assignment #2: due date: October 10, 2014
Term paper: October 24, 2014
Exam #1: October 17, 2014
Assignment #3: October 31, 2014
Assignment #4: November 7, 2014
Digital Forensics Project: November 14, 2014
Programming Project: November 21, 2014
Exam #2: TBD – Likely December 5, 2014
Term Paper Outline
 Abstract
 Introduction
 Analyze algorithms, Survey, - -  Give your opinions
 Summary/Conclusions
Term Paper Guidelines
 Around 5 pages, single spaced, 12 point , time roman font
 Take any topic related to forensics – e.g., crime scene analysis, file
system forensics
 Abstract and Introduction – 1 page
 Discuss some of the techniques for that particular topic – 2 pages
 Give an analysis of these techniques – 1 page
 Conclusion – half a page
 References – list all the references
Programming/Digital Forensics Projects –
 Encase evaluation
 Develop a system/simulation related to digital forensics
- Intrusion detection
- Ontology management for digital forensics
- Representing digital evidence in XML
- Search for certain key words
Papers to Read for Exam #1
 September 26
 Author Attribution
Large-scale Plagiarism Detection and Authorship attribution
- (1) Juxtapp: A Scalable System for Detecting Code Reuse
Among Android Applications
-
http://www.cs.berkeley.edu/~dawnsong/papers/2012%20juxtapp
_dimva12.pdf
(2) On the Feasibility of Internet-Scale Author Identification
http://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20t
he%20Feasibility%20of%20InternetScale%20Author%20Identification.pdf
Papers to Read for Exam #1
 September 19: Secure publication of digital evidence (in XML)
- Secure XML Publishing

Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M.
Thuraisingham, Amar Gupta: Selective and Authentic ThirdParty Distribution of XML Documents. IEEE Trans. Knowl.
Data Eng. 16(10): 1263-1278 (2004)

The proofs and the math are not needed
 September 26: Network Forensics
- https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.
pdf
- Network Forensics Analysis with Evidence Graph
Index to lectures for Exam #1
 Lecture #1: Digital Forensics (8/29/2014) (extra credit)
 Lecture #2: Cyber Security Modules (8/29/2014) (not included in the
exam)
 Lecture 3: Adaptive malware (not included in the exam)
 Lecture #4: Data Mining for Malware detection
 Lecture 5: Data mining (not included in exam)
 Lecture 6: Data recovery, evidence collection, preservation
 Lecture 7: Data acquisition, processing crime scenes, DF analysis
 Lecture 8: File systems and forensics tools
 Lecture 9: Validation and recovery of graphic files, Steganography
 Lecture 10: Secure Publication of Digital Evidence
 Lecture 11: Network and application forensics
 Lecture 12: Plagiarism Detection and Author Attribution (TA’s
lecture)
Index to lectures for Exam #1
 Lecture 13: Expert Witness and Report Writing
 Lecture 14 : Secure Cloud Computing (not included in exam)
 Lecture 15 Cloud Forensics
NOTE: You need to understand the main
concepts of the lectures, the book and the
papers for the exam. You can skip the math
details and the detailed algorithms
Papers to discuss in class (October 24)
Database Forensics
 http://www.cs.arizona.edu/people/rts/publications.html#auditing
 Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper
Detection in Audit Logs," In Proceedings of the International
Conference on Very Large Databases, Toronto, Canada, August–
September 2004, pp. 504–515.
- Tamper Detection in Audit Logs

Did the problem occur? (e.g. similar to intrusion detection)
 Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database
Tampering," in Proceedings of the ACM SIGMOD International
Conference on Management of Data (SIGMOD), pages 109-120,
Chicago, June, 2006.

Who caused the problem (e.g., similar to digital forensics
analysis)
Papers to discuss in class October 31, 2014
 XIRAF – XML-based indexing and querying for digital forensics
- http://dfrws.org/2006/proceedings/7-Alink.pdf
 Selective and intelligent imaging using digital evidence bags
- http://dfrws.org/2006/proceedings/8-Turner.pdf
 Detecting false captioning using common-sense reasoning
- http://dfrws.org/2006/proceedings/9-Lee.pdf
 Forensic feature extraction and cross-drive analysis
- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf
 A correlation method for establishing provenance of timestamps in
digital evidence
- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf
 FORZA – Digital forensics investigation framework that incorporate
legal issues (Eric)
- http://dfrws.org/2006/proceedings/4-Ieong.pdf
Papers to discuss in class October 31/Nov 7, 2014
 A cyber forensics ontology: Creating a new approach to studying cyber
forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf
 Advanced Evidence Collection and Analysis of Web Browser Activity",
Junghoon Oh, Seungbong Lee and Sangjin Lee
http://www.dfrws.org/2011/proceedings/12-344.pdf
 Forensic Investigation of Peer-to-Peer File Sharing Network. Robert
Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields.
http://www.dfrws.org/2010/proceedings/2010-311.pdf
 Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano,
Gianluigi Me and Francesco Pace.
http://www.dfrws.org/2010/proceedings/2010-310.pdf
 An Automated Timeline Reconstruction Approach for Digital Forensic
Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield
University)
 http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf
Papers to discuss in class October 31/Nov 7, 2014
 "A General Strategy for Differential Forensic Analysis" Simson Garfinkel
(Naval Postgraduate School), Alex Nelson (University of California, Santa
Cruz) and Joel Young (Naval Postgraduate School)
http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf
 Towards a General Collection Methodology for Android Devices",
Timothy Vidas, Chengye Zhang and Nicolas Christin
http://www.dfrws.org/2011/proceedings/07-339.pdf
 Distributed Forensics and Incident Response in the enterprise",
Michael Cohen, Darren Bilby and Germano Caronni
http://www.dfrws.org/2011/proceedings/16-348.pdf
 Bin-Carver: Automatic Recovery of Binary Executable Files" Scott
Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas
A&M University) and Bhavani Thuraisingham (University of Texas at
Dallas)
http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf
Papers to read for Exam #2
 http://www.cs.arizona.edu/people/rts/publications.html#auditing
 Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper
Detection in Audit Logs," In Proceedings of the International
Conference on Very Large Databases, Toronto, Canada, August–
September 2004, pp. 504–515.
- Tamper Detection in Audit Logs

Did the problem occur? (e.g. similar to intrusion detection)
 Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database
Tampering," in Proceedings of the ACM SIGMOD International
Conference on Management of Data (SIGMOD), pages 109-120,
Chicago, June, 2006.

Who caused the problem (e.g., similar to digital forensics
analysis)
Papers to read for Exam #2
 XIRAF – XML-based indexing and querying for digital forensics
- http://dfrws.org/2006/proceedings/7-Alink.pdf
 Selective and intelligent imaging using digital evidence bags
- http://dfrws.org/2006/proceedings/8-Turner.pdf
 Detecting false captioning using common-sense reasoning
- http://dfrws.org/2006/proceedings/9-Lee.pdf
 Forensic feature extraction and cross-drive analysis
- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf
 A correlation method for establishing provenance of timestamps in
digital evidence
http://dfrws.org/2006/proceedings/13-%20Schatz.pdf
 Advanced Evidence Collection and Analysis of Web Browser
Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee
http://www.dfrws.org/2011/proceedings/12-344.pdf
Papers to read for exam #2
 Forensic Investigation of Peer-to-Peer File Sharing Network. Robert
Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields.
http://www.dfrws.org/2010/proceedings/2010-311.pdf
 "A General Strategy for Differential Forensic Analysis" Simson Garfinkel
(Naval Postgraduate School), Alex Nelson (University of California, Santa
Cruz) and Joel Young (Naval Postgraduate School)
http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf
 Distributed Forensics and Incident Response in the enterprise",
Michael Cohen, Darren Bilby and Germano Caronni
http://www.dfrws.org/2011/proceedings/16-348.pdf
 Bin-Carver: Automatic Recovery of Binary Executable Files" Scott
Hand, Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas
A&M University) and Bhavani Thuraisingham (University of Texas at
Dallas)
http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf
Papers for Extra credit questions for exam #2
 A cyber forensics ontology: Creating a new approach to studying cyber
forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf
 An Automated Timeline Reconstruction Approach for Digital Forensic
Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield
University)
http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf
Index to lectures for Exam #2
 We only had one lecture on database forensics part of lectures
discussed on October 24, 2014. It is posted on Lecture #19. This
material will be included in the exam and the papers are given in the
reading list
 All the other lectures were guest lectures including on
 Virtual Machine Introspection
 Mobile malware
 Frankenstein
 Solution to heart bleed
These lectures will not be included in the exam
Course Rules
 Unless special permission is obtained from the instructor, each
student will work individually
 Copying material from other sources will not be permitted unless the
source is properly referenced
 Any student who plagiarizes from other sources will be reported to
the Computer Science department and any other committees as
advised by the department
Contacts: Instructor
- Dr. Bhavani Thuraisingham
- Louis Beecherl Distinguished Professor of Computer Science
- Executive Director of the Cyber Security Research and
Education Institute
- Erik Jonsson School of Engineering and Computer Science
- The University of Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: bhavani.thuraisingham@utdallas.edu
- URL:http://www.utdallas.edu/~bxt043000/
Contacts: Teaching Assistant
 Mohammed Iftekhar
 mxi110930@utdallas.edu
Teaching Assistant
Computer Science
PhD, Computer Science
Erik Jonsson Sch of Engr & Com
Related documents
Welcome Letter
Welcome Letter
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
review3
review3
Six Blind Men from Indostan
Six Blind Men from Indostan
Computer and Digital Forensics Industry Overview
Computer and Digital Forensics Industry Overview
Download
advertisement