CS4677, Computer Forensics (3-2) -- Syllabus for Winter 2017

 

Catalog description

 

This course covers the fundamentals of computer forensics in the context of DoN/DoD information operations. Students examine how information is stored and how it may be deliberately hidden and/or subverted. Coverage includes: practical forensic examination and analysis, techniques of evidence recovery, legal preparation of evidence, common forensic tools, principles of original integrity, disk examination, and logging. Prerequisite: CS3600.

 

Instructor

 

Prof. Neil Rowe, ncrowe@nps.edu, (831) 656-2462, GE-328 faculty.nps.edu/ncrowe.  No official office hours but he is usually there 900-1700. Lab manager is Riqui Schwamm, x3990, GE-237.

 

Grading

 

Three homework assignments (including some lab exercises) and a class project. Homework must be done by each student on their own without consulting anyone besides the instructor.  The project can be done in groups or individually. The project topic must be something related to forensics that requires at least 20 hours of work, and will need to be approved by the instructor. The penalty is 15% for assignments received after the due date. Homework should be submitted as a single document with your name at the top of the document, all material for each problem together (no appendices), and without the text of the problems (just your answers).

 

Laboratory

 

The lab we will use is GE-B013, in the basement of Glasgow East.  We have a limited number of key cards.  Windows machines are available and you can use your NPS account to log in. There are also two special workstations, one for imaging mobile devices, and one for imaging hard disks.  We will only use some of the scheduled lab hours with dates to be announced in class.

 

Textbook and materials

 

Required textbook is E. Casey Digital Evidence and Computer Crime, third edition, Academic Press, 2011.  This book focuses on nontechnical topics and will be supplemented by other more technical material in class to make this more of a graduate-level course.

 

Reading schedule

 

By 1/13: Read Chapters 1 and 2

By 1/23: Read Chapters 6 and 7

By 1/30: Read Chapter 15

By 2/6: Read Chapter 16

By 2/13: Read Chapter 17

By 2/20: Read Chapter 23

By 2/27: Read Chapter 3

By 3/7: Read Chapter 4

Project due 3/27

 

 

 

 

Topics covered in order:

·         Introduction: Analogies to and differences from traditional forensics

·         Forensic procedures: Analogies to procedures for criminal investigation

·         Basic concepts needed from computer science

·         Data collection: Different sources of forensic data

·         Forensic duplication: Important to do it carefully

·         File systems and file types: Analyzing structures

·         Text analysis: Searching for strings and counting patterns

·         Sleuthkit and Autopsy: Examples of standard forensic tools

·         File carving and personal artifacts: Finding useful data pieces and assembling them

·         Registry and times: Special kinds of useful bookkeeping, permit seeing patterns

·         Networking forensics: Network data, and constructing social networks from data

·         Deception in forensics: Enumerating the types encountered

·         Legal aspects of forensics: Privacy laws, expert testimony, reproducibility, special laws

 

Some ideas for the final project – these are just a start

• Analyze a cell phone of your own.
• Analyze how things you do on a computer or phone affects its files.
• Analyze a subset of drives in our corpus to determine their usage.
• Image NPS classroom and laboratory machines, and extract new kinds of data.
• Analyze the occurrence of malware in the corpus.
• Analyze the full set of effects on a drive of particular malware attacks.
• Test forensic methods for analyzing virtual machines.
• Analyze patterns of timestamps in particular directories across drives.
• Develop good methods for comparing drives to find similar ones.
• Develop new techniques for visualizing the data in our corpus.
• Develop big-data techniques for handling a large forensic corpus.
• Study effectiveness of a memory acquisition tool.
• Analyze particular methods for impeding forensics on a drive (“antiforensics”)
• Test our identified uninteresting files to see how often our analysis is correct.
• Test extension and directory classification to correct errors.
• Develop methods to detect leakage of classified information on a drive by looking for keywords.
• Determine the dialect of text.