Schedule
This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).
Assignments and due dates are listed separately.
Schedule
Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.
Unit 1
Topics
- Basics of Forensics
- A Motivating Example
- Data Representation
- Brief Introduction to Python for Forensics
Lectures
Reading
Carrier, Chapter 1 (and optionally start 3)
Other optional readings and resources
- On ASCII and Unicode:
- On Python:
- https://docs.python.org/3.5/ (in particular, the tutorial and library reference)
- https://learnxinyminutes.com/docs/python3/
- http://www.diveintopython3.net/index.html
- On classes of evidence:
Unit 2
- Carving Data from Files
- Metadata in Data: EXIF as a case study
Lectures
Reading
Carrier, Chapter 2
Other optional readings and resources
- Handout 1: Data Representation
- UTF-8
- UTF-16
- Exif Specification
- Description of the Exif file format
- ITU-T Recommendation T.81 (JPEG)
Unit 3
- Criminal/Legal Forensics
- Forensics is science applied to law (G. Sapir, Daubert)
- Contraband and knowing possession (G. Marin)
- Indicia of intent (T. Howard)
Lectures
Reading
- G. Sapir, Qualifying the Expert Witness
- G. Marin, Possession of Child Pornography: Should You be Convicted When the Computer Cache Does the Saving for You? (Note: don't be an idiot! This article and others we'll read discuss methods of downloading from the Internet materials related to child sexual exploitation. Enrollment in this class is never authorization to break any laws. Do not even search for keywords related to child pornography, and certainly don't download any materials. You could end up in court or jail for a long time and ruin your entire life.)
- T. Howard, Don’t Cache Out Your Case: Prosecuted Child Pornography Possession Laws Based on Images Located in Temporary Internet Files
Other optional readings and resources
- The Daubert Trilogy:
Midterm Exam 1
The first midterm will be on Thursday, February 23rd, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.
Unit 4
Network Investigations I
Lectures
Reading
- Hennessey and Weaver, A Judicial Framework for Evaluating Network Investigative Techniques
Other optional readings and resources
- Tor: Overview
- Tor: Hidden Service Protocol
- Orin Kerr, Government ‘hacking’ and the Playpen search warrant
- Orin Kerr, Remotely accessing an IP address inside a target computer is a search
- Remote, Durable Proof of Possession: B. Levine et al., Efficient Tagging of Remote Peers During Child Pornography Investigations (this is the journal version of an earlier 2010 paper)
Unit 5
- Disk Image Acquisition
- Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
- FAT Filesystems
Lectures
- 09: Acquisition, Volumes, MBRs
- 10: GPTs, Intro to the FAT filesystem
- 11: FATs and Directory Entries
- 12: Parsing FAT
Reading
- Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
- Carrier, Chapter 8, 9, 10
Optional reading
Volumes and partitions:
- https://en.wikipedia.org/wiki/Master_boot_record
- https://en.wikipedia.org/wiki/Partition_type
- https://en.wikipedia.org/wiki/Cylinder-head-sector
- https://en.wikipedia.org/wiki/GUID_Partition_Table
FAT:
Unit 6
- NTFS Filesystems
Lectures
Reading
- Carrier, Chapter 11, 12, 13
Optional reading
Unit 7
- Network Investigations II: Wiretapping Technology and Privacy; Email Investigations
Lectures
Reading
- S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure [doi link] [local copy]
- S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet [doi link] [local copy]
Optional reading
- Lawful hacking and the case for a strategic approach to "Going Dark"
- "Don't Panic": Making Progress on the "Going Dark" Debate
- Email header forensics
- SMTP
Midterm Exam 2
The second midterm will be on Thursday, April 6th, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.
Unit 8
- Malware and Related Legal Issues (The Trojan Horse defense)
- Windows Artifacts
Lectures
- 18: The Trojan Horse Defense; Intro to Windows Forensics
- 19: Windows Forensics; Miscellaneous (Boot JMPs, PGP)
Reading
- S. Brenner et al., The Trojan Horse Defense in Cybercrime Cases [link] [local copy]
- H. Carvey, Windows Forensic Analysis, available through UMass Library online (as are other relevant titles)
- J. Barbara, Windows 7 Registry Forensics (seven-part series, starting here)
- https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf
Optional reading
- S. Brenner on the Trojan Horse Defense
Unit 9
- Cell Phone Forensics
Lectures
Reading
- S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
- R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
- S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]
Optional reading
- http://www.toolwar.com/2014/04/scalpel-data-carving-tools.html
- https://github.com/sleuthkit/scalpel
- https://github.com/simsong/bulk_extractor
Unit 10
- Storage Technology: Spinning platters and solid state
Lectures
Reading
- http://www.serialata.org/technical-overview
- https://en.wikipedia.org/wiki/Magnetic_storage
- https://en.wikipedia.org/wiki/Solid-state_drive
- https://belkasoft.com/en/ssd-2014 (or https://belkasoft.com/download/info/SSD%20Forensics%202014.pdf)
Unit 11
- Practicalities of Being an Expert Witness
Lectures
Optional reading
- Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley. (available from WorldCat)
- Affadavit from Jayson Street (an example of an expert witness's output) [pdf]
- My Cousin Vinny [imdb link]
Final Exam
Our exam is scheduled for:
05/04/2017
Thursday
10:30am--12:30pm
Morrill I N375
Please note (from the Academic Rules and Regulations):
...it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar's Office, 213 Whitmore.