Cyber forensics:

Course Summary

This course aims to teach various techniques and knowledge to understand software systems in forensics’ perspectives at various levels.

Automated (Malicious/Victim) Program Analysis for Cyber Forensics

Specifically, you will learn how to analyze and understand (malicious or victim) programs automatically by leveraging dynamic and static program analysis techniques. We will learn how to build automatic tools via existing program analysis frameworks such as LLVM and Pin.

Post-mortem Forensic Analysis

Second, you will learn how to leverage cyber forensics tools to conduct a post-mortem analysis. Given a memory/disk dump file collected from the victim computer, we will learn how to navigate the complex code and data to understand what happened during the attack and how to trace back to the origin of the attack. Tools like Volatility (https://www.volatilityfoundation.org/) will be used. Moreover, we will learn how to gather forensic information from various files. For instance, reading undocumented file formats via file-format reverse engineering, and analyzing multiple files to identify corrupted logs, etc.

Advanced Cyber Forensic Techniques

Third, you will learn state-of-the-art cyber forensic techniques. For instance, one of the recent advances in memory forensic is the technique that can reproduce the program execution from the memory. From a memory dump of a dead process, you will learn how to resurrect the program execution. Moreover, we will look into advanced techniques to reverse-engineer malware to understand attackers’ intentions.

Grading

1. Assignments: 70% (Assign. 1: 20%, Assign. 2: 25%, Assign. 3: 25%)

2. Take-home quizzes: 20% (For some tools that we cover in the class, there will be small extra tasks for take-home quizzes)

• We will have 6 quizzes. Each quiz is worth 5 points. Anyone who earns more than 20 points (getting 4 perfect answers) will have 20% for quiz score.

• If you earn more than 20 points, it will be counted as extra credit. Those extra credits will be considered when we get the final grade. So, please do not assume that you can aid your scores in other sections with extra credits earned from the quizzes.

3. Participation: 10%

Notice

• There will be 3 assignments for undergraduate students and 5 assignments for graduate students.

• Late policy: 1 day late (10% penalty), 2 days late (20% penalty), 3 days late (50% penalty), more than (and including) 4 days late (100% penalty)

  • Late policy can be flexible under special circumstances. However, we will cover the answers during the class. Hence, once the answer is released, no new submissions can be accepted. To make up the score, one should consult with the instructor.

• All assignments and quizzes are individual. Discussions are acceptable (but you should mention how much you discussed with whom. Code sharing is strictly NOT allowed. If you are not sure, please consult with the instructor.)

(Tentative) Schedule

Week 1. Introduction

• [Quiz 1]

Week 2. Dynamic Analysis for Cyber Forensics

• How to use debugging tools, disassemblers, and the Intel Pin framework.

Week 3. Dynamic Analysis for Cyber Forensics

• How to use debugging tools, disassemblers, and the Intel Pin framework.

• [A] Assignment 1 (Dissecting a malicious program) releases.

• [Quiz 2]

Week 4. Malware Analysis

• How to use debugging tools, disassemblers, and the Intel Pin framework. (Tue)

• Pin details, particularly regarding the assignment 1 (Thursday)

Week 5. Forensic Artifact Recovery

• Basic concepts of forensic artifact recovery (e.g., disk/memory forensic).

• Introducing Volatility Tool (https://www.volatilityfoundation.org)

Week 6. Advanced Forensic Artifact Recovery

• File-format Reverse-engineering: how to understand data/message in the file/network message when you do not know their formats?

• Anti-debugging, anti-analysis techniques

• [D] Assignment 1 due (Sunday midnight of the Week 6).

• [A] Assignment 2 (Reconstructing Inputs from a Memory Dump) releases.

• [Quiz 3]

Week 7. Memory Forensic and Program State Reconstruction

• Basic concepts of memory forensics and how to recover program execution from the data.

Week 8. Review Session for Assignment 1 + Incident Response

• Going over the details of Assignment 1

• [D] Assignment 2 due (Saturday midnight of the Week 7).

• [Quiz 4]

Week 9. Spring Recess

Week 10. Static Analysis: LLVM

• LLVM introduction. Why it is useful and what it can do.

• [A] Assignment 3: Building an automated malware detector via LLVM

• [2 additional assignments for 6501 will be released. Submit by the end of the semester]

Week 11. LLVM (cont.)

• LLVM details for assignment 3. We will cover what is needed for assignment 3, and how it works.

• Information Flow Tracking

Week 12. Static-analysis / Information Flow Tracking

• Information Flow Tracking

• Static-analysis

• [Quiz 5]

Week 13. Advanced cyber forensic topics

• Anti-forensic techniques and analysis: Moving target defense, Deceptive techniques against forensic analysis.

Week 14. Advanced cyber forensic topics

• Some of recent (and futuristic) stuff regarding cyber forensics.

• E.g., Cyber crime-scene reconstruction. Advanced automated malware analysis. Anomaly Detection, N-version system.

• [D] Assignment 3 due (Saturday midnight of the Week 14)

Week 15. Recap the course

• Some of the weeks will be changed due to the travel schedules during the semester. For example, some weeks might be replaced with a take-home assignment. In such a case, you will do a small assignment instead of attending the class. The details will be announced during the class, and this website in the future.