Introduction - The University of Texas at Dallas

Download Report

Transcript Introduction - The University of Texas at Dallas 

Digital Forensics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to the Course
August 30, 2013
Outline of the Unit
 Objective of the Course
 Outline of the Course
 Course Work
 Course Rules
 Contact
- Text Book: Guide to Computer Forensics and Investigations
- Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher
Steuart
- Thompson Course Technology
Objective of the Course
 The course describes concepts, developments, challenges, and
directions in Digital Forensics.
 Text Book: Computer Forensics and Investigations. Bill Nelson et al,
 Topics include:
- Digital forensics fundamentals, systems and tools, Digital
forensics evidence and capture, Digital forensics analysis,
Outline of the Course
 Introduction to Data and Applications Security and Digital
Forensics
 SECTION 1: Computer Forensics
 Part I: Background on Information Security
 Part II: Computer Forensics Overview
- Chapters 1, 2, 3, 4, 5
 Part III: Computer Forensics Tools, File systems
Chapters 6, 7, 8
 Part IV: Computer Forensics Analysis
- Chapters 9, 10
 Part V Applications
Chapters 11, 12, 13
-
-
Outline of the Course
 Part VI: Expert Witness
- Chapters 14, 15, 16
 Additional Topics for Exam #1 and Part 1 of class
- Data Mining Malware, Insider Threat, Author Attribution
- Selective Publication of Digital Evidence
- Guest lecture on Frankenstein
Outline of the Course
 SECTION II
- Selected Papers from
Digital Forensics Research
Workshop as well as some other publications
Cloud computing and forensics
- Dr. Lin’s lecture on Reverse engineering for Forensics
- GIAC Certified Forensics Examination Review
 What we have covered + Log analysis, registry
analysis, windows artifacts analysis, mobile system
forensics, browser forensics
 Guest Lectures
- Richardson Police Department
- North Texas FBI (Friday afternoon)
Digital Forensics Company in DFW area
-
-
Course Work





Two exams 20 points each
Term paper 12 points
Programming project: 20 points
Digital Forensics project: 16 points
Four assignments each worth 8 points, total: 32 points
Tentative Schedule









Assignment #1 due date: September 20, 2013
Assignment #2: due date: September 27, 2013
Term paper #1: October 11, 2012
Exam #1: October 18, 2013
Assignment #3: October 25, 2012 – November 1, 2013
Assignment #4: November 1, 2013 – November 8, 2103
Digital Forensics Project: November 15, 2012
Programming Project: November 22, 2012
Exam #2: December 13, 2013
Term Paper Outline
 Abstract
 Introduction
 Analyze algorithms, Survey, - -  Give your opinions
 Summary/Conclusions
Term Paper Guidelines
 Around 5 pages, single spaced, 12 point , time roman font
 Take any topic related to forensics – e.g., crime scene analysis, file
system forensics
 Abstract and Introduction – 1 page
 Discuss some of the techniques for that particular topic – 2 pages
 Give an analysis of these techniques – 1 page
 Conclusion – half a page
 References – list all the references
Programming/Digital Forensics Projects –
 Encase evaluation
 Develop a system/simulation related to digital forensics
- Intrusion detection
- Ontology management for digital forensics
- Representing digital evidence in XML
- Search for certain key words
Course Rules
 Unless special permission is obtained from the instructor, each
student will work individually
 Copying material from other sources will not be permitted unless the
source is properly referenced
 Any student who plagiarizes from other sources will be reported to
the Computer Science department and any other committees as
advised by the department
Assignments for the Class: Hands-on projects
from the text book
 Assignments #1
- Chapter 2: 2.1, 2.2, 2.3
 Assignment #2
- Chapter 4: 4.1, 4.2
- Chapter 5: 5.1, 5.2
 Assignment #3
- Chapter 9: 9-1, 9-2
- Chapter 10: 10-1
 Assignment #4
- Chapter 12: 12-1, 12-2 , 12-3
Papers to Read for Exam #1
 September 20
 Author Attribution
Large-scale Plagiarism Detection and Authorship attribution
- (1) Juxtapp: A Scalable System for Detecting Code Reuse
Among Android Applications
-
http://www.cs.berkeley.edu/~dawnsong/papers/2012%20juxtapp
_dimva12.pdf
(2) On the Feasibility of Internet-Scale Author Identification
http://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20t
he%20Feasibility%20of%20InternetScale%20Author%20Identification.pdf
 September 27: Insider Threat Detection
Pallabi Parveen, Nate McDaniel, Varun S. Hariharan, Bhavani M.
Thuraisingham, Latifur Khan: Unsupervised Ensemble Based
Learning for Insider Threat Detection. SocialCom/PASSAT 2012:
718-727
Papers to Read for Exam #1
 October 4: Secure publication of digital evidence (in XML)
- Secure XML Publishing

Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M.
Thuraisingham, Amar Gupta: Selective and Authentic ThirdParty Distribution of XML Documents. IEEE Trans. Knowl.
Data Eng. 16(10): 1263-1278 (2004)

The proofs and the math are not needed
 October 11: Secure publication of digital evidence (in XML)
- https://www.dfrws.org/2005/proceedings/wang_evidencegraphs.
pdf
- Network Forensics Analysis with Evidence Graph
Index to lectures for Exam #1
 Lecture #1: Digital Forensics (8/30/2013) (extra credit)
 Lecture #2: Cyber Security Modules (8/30/2013) (not included in the
exam)
 Lecture #3: Data Mining for Malware detection
 Lecture 4: Adaptive malware (not included in the exam)
 Lecture 5: Data mining (not included in exam)
 Lecture 6: Data recovery, evidence collection, preservation
 Lecture 7: Data acquisition, processing crime scenes, DF analysis
 Lecture 8: File systems and forensics tools
 Lecture 9: Validation and recovery of graphic files, Steganography
 Lecture 10: Network and application forensics
 Lecture 11: Expert witness and report writing
 Lecture 12: Plagiarism Detection and Author Attribution (Anduleep’s
lecture)
Index to lectures for Exam #1
 Lecture #13 Unsupervised ensemble-based learning for insider
threat (Nate’s lecture)
 Lecture 14: Secure publishing of XML data (digital evidence)
 Lecture 15 : Frankenstein guest lecture (not included in exam)
NOTE: You need to understand the main
concepts of the lectures, the book and the
papers for the exam. You can skip the math
details and the detailed algorithms
Papers to Read for Exam #2 (October 25)
Database Forensics
 http://www.cs.arizona.edu/people/rts/publications.html#auditing
 Richard T. Snodgrass, Stanley Yao and Christian Collberg, "Tamper
Detection in Audit Logs," In Proceedings of the International
Conference on Very Large Databases, Toronto, Canada, August–
September 2004, pp. 504–515.
- Tamper Detection in Audit Logs

Did the problem occur? (e.g. similar to intrusion detection)
 Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database
Tampering," in Proceedings of the ACM SIGMOD International
Conference on Management of Data (SIGMOD), pages 109-120,
Chicago, June, 2006.

Who caused the problem (e.g., similar to digital forensics
analysis)
Papers to Read for Exam #2 November 1, 2013
 XIRAF – XML-based indexing and querying for digital forensics
- http://dfrws.org/2006/proceedings/7-Alink.pdf
 Selective and intelligent imaging using digital evidence bags
- http://dfrws.org/2006/proceedings/8-Turner.pdf (Ryan)
 Detecting false captioning using common-sense reasoning
(James)
- http://dfrws.org/2006/proceedings/9-Lee.pdf
 Forensic feature extraction and cross-drive analysis
- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf
 A correlation method for establishing provenance of timestamps in
digital evidence (Raul)
- http://dfrws.org/2006/proceedings/13-%20Schatz.pdf
 FORZA – Digital forensics investigation framework that incorporate
legal issues (Eric)
- http://dfrws.org/2006/proceedings/4-Ieong.pdf
Papers to Read for Exam #2 November 8, 2013
 A cyber forensics ontology: Creating a new approach to studying cyber
forensics http://dfrws.org/2006/proceedings/5-Brinson.pdf (Grace)
 Arriving at an anti-forensics consensus: Examining how to define and
control the anti-forensics problem (Eric)
http://dfrws.org/2006/proceedings/6-Harris.pdf
 Advanced Evidence Collection and Analysis of Web Browser Activity",
Junghoon Oh, Seungbong Lee and Sangjin Lee (David)
http://www.dfrws.org/2011/proceedings/12-344.pdf
 Forensic Investigation of Peer-to-Peer File Sharing Network. Robert
Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields.
(Pedro)
http://www.dfrws.org/2010/proceedings/2010-311.pdf
 Android Anti-Forensics Through a Local Paradigm. Alessandro Distefano,
Gianluigi Me and Francesco Pace. (Daun)
http://www.dfrws.org/2010/proceedings/2010-310.pdf
Papers to Read for Exam #2 November 8, 2013
 "An Automated Timeline Reconstruction Approach for Digital Forensic
Investigations" Christopher Hargreaves and Jonathan Patterson (Cranfield
University) (Jason)
 http://www.dfrws.org/2012/proceedings/DFRWS2012-8.pdf
 "A General Strategy for Differential Forensic Analysis" Simson Garfinkel
(Naval Postgraduate School), Alex Nelson (University of California, Santa
Cruz) and Joel Young (Naval Postgraduate School) (Garrett)
 http://www.dfrws.org/2012/proceedings/DFRWS2012-6.pdf
 "Bin-Carver: Automatic Recovery of Binary Executable Files" Scott Hand,
Zhiqiang Lin, (University of Texas at Dallas) Guofei Gu (Texas A&M
University) and Bhavani Thuraisingham (University of Texas at Dallas)
(Ryan) http://www.dfrws.org/2012/proceedings/DFRWS2012-12.pdf
Index to lectures for Exam #2
 Lecture 16: Secure Cloud Computing
 Lecture 17 – Virtualization Security
 Lecture 18 – Database Tampering – Thuraisingham
 Lecture 19 – Guest Lecture – Memory Forensics
 Lecture 20 – Guest Lecture – Mobile phone forensics
 Lecture 21 – Some digital Topics for GCFE
 Lecture 22 – Database Tampering - Byrd
 Lecture 23 – Database Tampering – Raul
 Lecture 24 - Selective and Intelligent Imaging Using Digital Evidence
Bags – Ryan
 Lecture 25 – Cyber Forensics Ontology
 Lecture 26 – Android Forensics - Daun
Index to lectures for Exam #2
 Lecture 27: Detecting False Captioning – Byrd
 Lecture 28 – Timeline Reconstruction
 Lecture 29 – Bin Carver
 Lecture 30 - Arriving at an anti-forensics consensus
 Lecture 31 – Guest Lecture – Space Traveler
 Lecture 32 – P2P Investigation
 Lecture 33 – Forza Framework
 Lecture 34 - Advance evidence collection and analysis of web
browser activity
 Lecture 35 - XIRAF – XML-based indexing and querying for digital
forensics
Lectures: November 15 and 22
 November 15:
 Guest Lecture: Mobile phone forensics
 GCFE Exam topics (High Level)
 Review for exam
 November 22
 Guest Lecture VM Space Traveler
 XIRAF paper
 Review for exam
December 6th and 13th
 December 6
 Tour of FBI Lab
 December 13
 Exam #2
Contacts: Instructor
- Dr. Bhavani Thuraisingham
- Louis Beecherl Distinguished Professor of Computer Science
- Executive Director of the Cyber Security Research and
Education Institute
- Erik Jonsson School of Engineering and Computer Science
- The University of Texas at Dallas Richardson, TX 75080
- Phone: 972-883-4738
- Fax: 972-883-2399
- Email: [email protected]
- URL:http://www.utdallas.edu/~bxt043000/
Contacts: Teaching Assistant
 Mohammed Iftekhar
 [email protected]
Teaching Assistant
Computer Science
PhD, Computer Science
Erik Jonsson Sch of Engr & Com