Digital Forensics

Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course August 31, 2012

Outline of the Unit

Objective of the Course Outline of the Course Course Work Course Rules Contact

- Text Book: Guide to Computer Forensics and Investigations

- Bill Nelson, Amelia Phillips, Frank Enfinger, and Christopher
Steuart

- Thompson Course Technology

Objective of the Course

The course describes concepts, developments, challenges, and

directions in Digital Forensics.

Text Book: Computer Forensics and Investigations. Bill Nelson et al, Topics include:

- Digital forensics fundamentals, systems and tools, Digital

forensics evidence and capture, Digital forensics analysis,

Outline of the Course

Introduction to Data and Applications Security and Digital

Forensics SECTION 1: Computer Forensics Part I: Background on Information Security Part II: Computer Forensics Overview - Chapters 1, 2, 3, 4, 5 Part III: Computer Forensics Tools Chapters 6, 7, 8 Part IV: Computer Forensics Analysis - Chapters 9, 10 Part V Applications Chapters 11, 12, 13

Outline of the Course

Part VI: Expert Witness

- Chapters 14, 15, 16

SECTION II

- Selected Papers - Digital Forensics Research Workshop

Guest Lectures

- Richardson Police Department - North Texas FBI - Digital Forensics Company in DFW area

Course Work

Two exams 20 points each Term paper 12 points Programming project: 20 points Digital Forensics project: 16 points Four assignments each worth 8 points, total: 32 points

Tentative Schedule
Assignment #1 due date: September 21, 2012 (September 28,

2012) Assignment #2: due date: September 28, 2012 (new date: October 12, 2012) Term paper #1: October 12, 2012 (October 26, 2012) Exam #1: October 19, 2012 Assignment #3: October 26, 2012 (November 30, 2012) Assignment #4: November 2, 2012 (November 30, 2012) Digital Forensics Project: November 16, 2012 (November 30) Programming Project: November 30, 2012 Exam #2: December 14, 2012

Term Paper Outline

Abstract Introduction Analyze algorithms, Survey, - - Give your opinions Summary/Conclusions

Programming/Digital Forensics Projects

Encase evaluation Develop a system/simulation related to digital forensics

- Intrusion detection - Ontology management for digital forensics - Representing digital evidence in XML - Search for certain key words

Course Rules
Unless special permission is obtained from the instructor, each

student will work individually

Copying material from other sources will not be permitted unless the

source is properly referenced

Any student who plagiarizes from other sources will be reported to

the Computer Science department and any other committees as advised by the department

Contact
For more information please contact

Dr. Bhavani Thuraisingham Professor of Computer Science and Director of Cyber Security Research Center Erik Jonsson School of Engineering and Computer Science EC31, The University of Texas at Dallas Richardson, TX 75080 Phone: 972-883-4738 Fax: 972-883-2399 Email: bhavani.thuraisingham@utdallas.edu http://www.utdallas.edu/~bxt043000/

Assignments for the Class: Hands-on projects from the text book
Assignments #1

- Chapter 2: 2.1, 2.2, 2.3

Assignment #2

- Chapter 4: 4.1, 4.2 - Chapter 5: 5.1, 5.2

Assignment #3

- Chapter 9: 9-1, 9-2 - Chapter 10: 10-1

Assignment #4

- Chapter 12: 12-1, 12-2 , 12-3

Papers to Read for Exam #1

http://www.sciencedirect.com/science/article/pii/S1742287604000271

(crime scene analysis)

http://www.porcupine.org/forensics/forensic-discovery/chapter3.html

(file system basics)

http://www.fbi.gov/about-us/lab/forensic-science-

communications/fsc/july2004/research/2004_03_research01.htm (Steganography overview)

http://www.dfrws.org/2005/proceedings/wang_evidencegraphs.pdf

(network forensics, Iowa state U. paper)

Pallabi Parveen, Jonathan Evans, Bhavani M. Thuraisingham, Kevin

W. Hamlen, Latifur Khan: Insider Threat Detection Using Stream Mining and Graph Mining. SocialCom/PASSAT 2011: 1102-1110
Learn the details of one forensics tool

Index to lectures for Exam #1

Lecture #1: Digital Forensics (8/31/2012) Lecture #2: Cyber Security Modules (8/31/2012)

Lecture #3: Data Mining background (no date)

Lecture #4: Computer Forensics Data Recovery and Evidence

Collection and Preservation (9/7/2012)

Lecture 5: Data Mining for Malware Detection (Tapes: 9/14/2012

Lecture 6: File System Forensics (discussed 10/5/2012)

Lecture 7: Encase Overview (discussed (9/28/2012) Lecture 8: Insider Threat Ms Parveen Lecture (9/14/2012) Lecture 9: Data Acquisition, Processing Crime Scenes and Digital

Forensics Analysis (9/21/2012)

Lecture 10: Validation and Recovering Graphic Files and

Steganography (9/28/2012)

Index to lectures for Exam #1

Lecture 11: Expert Witness and Report Writing (10/12/2012) Lecture 12: Network and Applications Forensics (10/5/2012)

Index to lectures for Exam #2

Lecture 13: Secure Sharing of Digital Evidence (1) Lecture 14: Richard Wartell Guest Lecture (10/26/2012) Lecture 15: Detecting False Captioning (Marie Yarbrough)

(0.5) Lecture 16: Detection and Analysis of Database Tampering (1) Lecture 17: Virtualization Security (0.5) Lecture 18: Guest Lecture Mr. Satyen Abrol Lecture 19: Smartphone Malware detection (Dr. Zhou) (1) Lecture 20: Dr. Lin Lecture (1) Lecture 21: Selective and Intelligence Imaging, Nicholas Charlton (0.5) Lecture 22: XIREF, Antonio Guzman (0.5) Lecture 23: Timestamps. Kirby Flake (0.5)

Index to lectures for Exam #2

Lecture 24: Forza, Matt Lawrence (0.5) Lecture 25: Anti forensics, Charles Sammons (0.5) Lecture 26: Ontology for DF, Jason Mok (0.5)

Lecture 27: Anrdoid Anti Forensics, Michael Johnston (0.5)

Lecture 28: Forensics Investigation of peer to peer file sharing

Nate Bleaker (0.5) Lecture 29: Forensics Feature Extraction and cross drive analysis, David Pederson (0.5) Lecture 30: Advanced Evidence Collection and Analysis of Web Browser Activity, Jeff (0.5) Lecture 31: Secure Cloud Computing (0.5)

Papers to read Exam #2 (Lecture October 12, 2012)

Elisa Bertino, Barbara Carminati, Elena Ferrari, Bhavani M.

Thuraisingham, Amar Gupta: Selective and Authentic ThirdParty Distribution of XML Documents. IEEE Trans. Knowl. Data Eng. 16(10): 1263-1278 (2004)
Abhijith Shastry, Murat Kantarcioglu, Yan Zhou, Bhavani M.

Thuraisingham: Randomizing Smartphone Malware Profiles against Statistical Mining Techniques. DBSec 2012: 239-254 (this paper will be posted on e-learning. It is the lecture given by Dr. Yan Zhou)

Papers to Read for November 2, 2012

http://www.cs.arizona.edu/people/rts/publications.html#auditing Richard T. Snodgrass, Stanley Yao and Christian Collberg,

"Tamper Detection in Audit Logs," In Proceedings of the International Conference on Very Large Databases, Toronto, Canada, AugustSeptember 2004, pp. 504515. Tamper Detection in Audit Logs Did the problem occur? (e.g. similar to intrusion detection) Kyri Pavlou and Richard T. Snodgrass, "Forensic Analysis of Database Tampering," in Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 109-120, Chicago, June, 2006. Who caused the problem (e.g., similar to digital forensics analysis)

Papers to Read for November 2, 2012

. Papers on Intelligent Digital Forensics
http://dfrws.org/2006/proceedings/7-Alink.pdf XIRAF XML-based indexing and querying for digital forensics

http://dfrws.org/2006/proceedings/8-Turner.pdf Selective and intelligent imaging using digital evidence bags http://dfrws.org/2006/proceedings/9-Lee.pdf Detecting false captioning using common-sense reasoning

Papers to Read for November 9

Forensic feature extraction and cross-drive analysis

- http://dfrws.org/2006/proceedings/10-Garfinkel.pdf
A correlation method for establishing provenance of timestamps in

digital evidence http://dfrws.org/2006/proceedings/13-%20Schatz.pdf FORZA Digital forensics investigation framework that incorporate legal issues - http://dfrws.org/2006/proceedings/4-Ieong.pdf A cyber forensics ontology: Creating a new approach to studying cyber forensics - http://dfrws.org/2006/proceedings/5-Brinson.pdf Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem http://dfrws.org/2006/proceedings/6-Harris.pdf

Papers to Review for November 16

Advanced Evidence Collection and Analysis of Web Browser

Activity", Junghoon Oh, Seungbong Lee and Sangjin Lee http://www.dfrws.org/2011/proceedings/12-344.pdf

Forensic Investigation of Peer-to-Peer File Sharing Network.

Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay Shields. http://www.dfrws.org/2010/proceedings/2010-311.pdf
Android Anti-Forensics Through a Local Paradigm.

Alessandro Distefano, Gianluigi Me and Francesco Pace. http://www.dfrws.org/2010/proceedings/2010-310.pdf