01: Introduction

Welcome

Hello and welcome!

I’m Brian Levine and I’m the professor for this course, COMPSCI 365.

The most important thing to know today: the course web site is at https://people.cs.umass.edu/~brian/2023-fall-cs365. It includes the syllabus for this class and you are expected to read it in its entirety. We use Moodle to post assignments; gradescope to submit assignments; and campuswire for announcements and answering questions.

Who am I?

Come by office hours Wednesdays 11am in person.

Who are our TAs/UCAs?

Two TAs and four graders. The TA’s office hours are up on moodle.

What is this course? / who is it for?

The goal of forensics is to gather artifacts for refinement into evidence that supports or refutes a hypothesis about an alleged crime or policy violation. Done correctly, forensics represents the application of science to law. The techniques can also be abused to thwart privacy.

This course is a broad introduction to forensic investigation of digital information and devices. We will cover the acquisition, analysis, and courtroom presentation of information from file systems, operating systems, networks, cell phones, and the like. Students do not need experience with these systems.

We will review the use of some professional tools that automate data harvesting, however, the primary goal of the class is to understand why and from where artifacts are recoverable in these systems. Several assignments involve coding forensic tools from scratch.

For a small portion of the class, we will cover some relevant issues from the law, privacy, and current events. Such as safe design. Thus, the class serves the well-rounded student who is eager to participate in class discussion on a variety of technical and social issues.

I’m also interested in teaching you and holding you to some basic standards of coding and software engineering.

Content Overview

[Walk through of syllabus]

You’ll notice I’m writing on the chalk board and not using powerpoint. That’s how I roll. I will occasionally (depending upon topic, frequently) bust out the laptop for some live coding and demos, and once in a while for illustrations, but there are no slides or powerpoints available for this course. Come to class and take notes!

Just like this note here that you are reading, I often post notes from my lectures, typically a modification of notes from the previous semester. I do not guarantee that the notes will be there, be there on time, or be a complete record of what was talked about or what was important. You should come to class and take notes. In short, you may gain some benefit from these rough lecture notes, but they are not going to be complete. They are reminders for what I wish to cover for a lecture ahead; they are not updated after a lecture has occurred to reflect what happened accurately.

Prerequisites

COMPSCI 230. CS majors only (others will need to request an override). I expect a reasonable level of programming maturity. You’re going to be writing your assignments in Python. For most of you, Python hasn’t been required in a previous course, so you’re also going to be learning it as you go. The level of Python you’ll need should not be a significant challenge for you if you’ve passed the prerequisites. That said, you should start going through a Python (3.11) tutorial soon.

A motivating example

(This content, which continues into another lecture, was co-authored with Clay Shields/Georgetown Univ.)

As a newly hired forensic investigator for Locard Forensics, Inc., you have been assigned to a team led by Mr. Locard, who tells you the following information about a case already in progress.

Anne Adams worked as a designer of toys at the Acme Toy Company for over ten years, eventually becoming a senior designer. One year ago, Nadir Toy Corp. offered Adams a position as vice-president of toy design, including a large pay raise, and she took the offer. This week, Acme learned of Nadir’s newest toy, which in their view shared too much in common with a project Adams was seen working on before she left Acme: a toy rabbit. Mr. Locard has assigned you the task of verifying his hypothesis that Adams illegally copied documents describing the projects she worked on at Acme (documents owned by Acme) from her computer before she left.

Mr. Locard worked with lawyers to create a court-ordered subpoena that, under penalty of law, requires Adams to produce all her computers and storage devices. Your task as part of Locard’s team is to focus on her USB storage device. Mr. Locard has made an exact copy of the original USB device, a process called imaging. One of the advantages of digital evidence over traditional evidence is that exact copies can be made and analyzed without disturbing the original.

Later on, we’ll explain the details of how data is imaged from a storage device, including internal hard drives, USB storage, CDROMs, and more. A copy of the acquired image from Ms. Adams’ USB storage device will be on the course Web site (for a later class). All of the data on Adams’ device is now contained in a file called adams.dd; we don’t need another USB storage device to examine hers. In this case, her USB key is only a container for the digital evidence and not the evidence itself. The evidence file contains all the data that was previously on the USB key.

A forensic investigation has several goals, depending on the context. Typically, the primary goals are to

  1. Determine if there is evidence that a crime, tort, or policy violation has been committed;
  2. Identify the related events and actions that occurred;
  3. And identify who might be responsible.

In many criminal investigations, the goal of the investigator may additionally include determining the motive and intent of the perpetrator, corroborating alibis of the innocent, and verifying statements of witnesses. Moreover, criminal investigators need to preserve a demonstrable link between the artifacts we find at a crime scene and our later presentation of the evidence in court.

All these tasks must be performed with integrity.

Our focus is on digital evidence, and so we will not detail procedures for gathering other types of evidence. Note, however, that it’s rare that only digital evidence is collected from a scene. Crimes scene investigation can involve gathering of chemical, ballistic, biological remains of a crime. If you are interested in these topics, Saferstein has written an excellent introductory book.

In our particular case, our goal is to locate evidence from the USB key data that demonstrate the toy rabbit was first designed by Adams while she was still employed by Acme. We’ll see this in a later class.

Some administrivia

Let’s pause the course material to discuss some administrative stuff.

First, some words about assignments and grading.

Assignments (60%)

The majority of the workload in this course will consist of take-home assignments. These assignments will involve writing, programming, or both. Written assignments will have a series of questions, and will require that you understand basic legal and technical concepts to answer them correctly. Some written assignments will require detailed analyses (for example, reasoning about a particular technology in the context of a law).

Programming assignments will typically involve implementing a forensic tool from scratch using Python. Typically these tools involving parsing data. We are going to essentially autopsy computers (disks, files, etc.). There will be bits everywhere and it can be overwhelming.

As an analogy, if you were buy a cookbook and follow directions for a recipe and you’ll be cooking; instead I’m going to teach you to be a chef (or at least, the skills you’ll need to be one).

We’ll focus mostly on the computer and networking side of digital forensics. We are going to motivate quite a bit on the 4th Amendment and related case law. If you find yourself loving the law side of the class – and there are usually a good number of students in the course who do — please take either COMPSC 391 Computer Crime Law or COMPSCI 563 Internet Law and Policy taught by Marvin Cable, Esq. And/or go to law school! A handful of students over the years have taken this course and decided to get a degree in law. The combination of a CS degree and a Law degree is a powerful combination (if you can afford it).

Assignments are not collaborative: you must complete them on your own. Exceptions to this rule will be clearly noted. You can ask others for help, but you must not do by showing your code or by looking at their code or written answers. You can explain things to each other using class notes and the text ONLY. You can show your code to me and the TAs ONLY.

We plan to give many assignments. Each assignment will contribute a stated number of points toward the “Assignments” portion of your course grade. Each assignment may be worth a different amount of points. We don’t drop the lowest assignment or anything like that.

Assignments have a due date, clearly marked on the course web site. Late assignments will not be accepted. Requests for extensions need to be made at least a day in advance and involve a reason recognized by university policy. You can ask for an extension using a google form posted to our moodle site.

Midterm and final exam (15%/15%)

There will be one midterm and one final exam. You must achieve a grade average of 50% on the two to pass the course. The final is not cumulative but material in the second half of the course is dependent on your understanding of much of the first half.

You may not bring supplemental material to the midterms or final exam, that is, they are closed-book, and the use of notes, calculators, computers, phones, etc., is forbidden, unless otherwise explicitly stated. All such materials must be at the FRONT of the room if you bring it to the exam. Possession of phones, books, notes, etc. on your person (e.g., in your pocket) as you take an exam is cheating and will result in a zero grade for the exam (and makes it unlikely you’ll end up with a 50% average; see note above).

Exams must be completed on your own: they are not collaborative!

Clickers (10%)

In-person lecture attendance is required and we use iClicker questions as part of your grade (10%). Clicker question grading is explained in the syllabus.

Other things to note:

If you have an UMass-assigned accommodation, please make sure I know about it from the DS Office. If I heard about it, then I have emailed you an acknowledgement. If you have not registered with DS, I can not offer you any accommodations, nor is it UMass policy to backdate accommodations.

Get notes from a friend if you miss class. More to the point, “it wasn’t in the book” isn’t a reasonable complaint if it was in lecture. Similarly, assigned reading is required reading. Saying “it wasn’t in lecture” for an exam question isn’t a reasonable complaint it I assigned it.

We’re using CampusWire for discussion. The URL and entry code is posted to moodle.

At the start of the semester, I will permit laptops and the like in the classroom. If it becomes clear that they are being used for purposes not directly related to the class, I will ban them. It is unfair to distract other students with tiktok feeds, animated ads, and the like. If you never look up from your laptop screen, I will call on you and ask you to look up.

Regardless, I recommend taking notes by hand. Research suggests that students who take written notes in class significantly outperform students who use electronic devices to take notes.

Discussion of Sexual Abuse, Crime, and Mature Themes

Finally, note that we will talk about topics never discussed in other CS contexts: murder, adult pornography, child sexual abuse material (CSAM), abortion, etc. I have a lot of experience discussing these topics in class. I am able to do so in a clinical manner that allows for academic learning, and in the case of crime respecting that there are real survivors who have endured abuse. You will learn to do the same. We will keep discussions at a high level. We won’t go into graphic detail. But some frank talk is unavoidable when discussing the motivation behind performing an investigation. Be forewarned that court opinions, court declarations, and news articles do not hold back in their descriptions of events.

If during a particular discussion, you find you need to leave in the middle of class, please do so, no questions asked. But please consider now, ahead of add/drop, whether these topics suit you. If they do not, I recommend you take a different elective to fulfill the CS degree as this course is not required. I am not trying to take away a chance for you to learn.

I say drop because I am one of maybe a handful of professors in the country that teaches on these topics in CS. In this course, I hope to encourage a next generation of professionals who can work on these topics. While you have n-1 courses in CS available to complete your degree, cmpsci365 is the only course that offers CS undergrads a chance to see if they can work in a field that overlaps with victims of crime and/or abuse. I am also keen on making it clear to the next generation of software engineers for the big and small tech companies that products are used widely for crime. Today, this fact is swept under the rug faster than a broom in the hands of a 1994 Cigarette Company executive. You are often told in your security courses to make your code secure; that’s necessary but not sufficient. I’m telling you that you also need to make it safe.

End-of-class reminders

Read the Syllabus on the course web site.

Assignments and their due date will go up on the web site as they become available. Assignment 1 is already up on moodle.

Required (and optional) reading and lecture notes are posted to the public course web site.

If you aren’t enrolled and want to be, make sure you talk to me before you leave.

Check on your accommodation status and whether I know about it.