Schedule
This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).
Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.
Assignments and due dates are listed separately.
Unit 1: Intro
Topics
- Basics of Forensics
- A Motivating Example
- Data Representation
- Brief Introduction to Python for Forensics
Lectures
Reading
Carrier, Chapter 1 (and optionally start 3)
Other optional readings and resources
- On ASCII and Unicode:
- On Python:
- https://docs.python.org/3.6/ (in particular, the tutorial and first few chapters of the library reference)
- https://learnxinyminutes.com/docs/python3/
- http://www.diveintopython3.net/index.html
- On classes of evidence:
Unit 2: Carving and Exif
- Carving Data from Files
- Metadata in Data: EXIF as a case study
Lectures
Reading
Carrier, Chapter 2
Other optional readings and resources
- Handout 1: Data Representation
- UTF-8
- UTF-16
- Exif Specification
- Description of the Exif file format
- ITU-T Recommendation T.81 (JPEG)
- the Jupyter notebook from Lecture 06. I strongly recommend you try to write the code for the corresponding assignment without copy/pasting from this notebook. For future work I won’t spend as much (or any) time writing the Python for parsing in class. Start practicing now!
Unit 3: Forensic Science and Law
- Criminal/Legal Forensics
- Forensics is science applied to law (G. Sapir, Daubert)
- Contraband and knowing possession (G. Marin)
- Indicia of intent (T. Howard)
Lectures
Reading
- G. Sapir, Qualifying the Expert Witness
- G. Marin, Possession of Child Pornography: Should You be Convicted When the Computer Cache Does the Saving for You? (Note: don’t be an idiot! This article and others we’ll read discuss methods of downloading from the Internet materials related to child sexual exploitation. Enrollment in this class is never authorization to break any laws. Do not even search for keywords related to child pornography, and certainly don’t download any materials. You could end up in court or jail for a long time and ruin your entire life.)
- T. Howard, Don’t Cache Out Your Case: Prosecuted Child Pornography Possession Laws Based on Images Located in Temporary Internet Files
Other optional readings and resources
- The Daubert Trilogy:
Unit 4: Network Investigations I
- NITs and Tor
Lectures
Reading
- Hennessey and Weaver, A Judicial Framework for Evaluating Network Investigative Techniques
Other optional readings and resources
- Tor: Overview
- Tor: Hidden Service Protocol
- Orin Kerr, Government ‘hacking’ and the Playpen search warrant
- Orin Kerr, Remotely accessing an IP address inside a target computer is a search
- Remote, Durable Proof of Possession: B. Levine et al., Efficient Tagging of Remote Peers During Child Pornography Investigations (this is the journal version of an earlier 2010 paper)
Unit 5: Volumes, Partitions, and FAT
- Disk Image Acquisition
- Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
- FAT Filesystems
Lectures
- 09: Acquisition, Volumes, MBRs
- 10: GPTs, Intro to the FAT filesystem
- 11: FATs and Directory Entries
- 12: Parsing FAT
Reading
- Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
- Carrier, Chapter 8, 9, 10
Optional reading
Volumes and partitions:
- https://en.wikipedia.org/wiki/Master_boot_record
- https://en.wikipedia.org/wiki/Partition_type
- https://en.wikipedia.org/wiki/Cylinder-head-sector
- https://en.wikipedia.org/wiki/GUID_Partition_Table
FAT:
Unit 6: NTFS
- NTFS Filesystems
Lectures
Reading
- Carrier, Chapter 11, 12, 13
Optional reading
Unit 7: Network Investigations II
- Wiretapping Technology and Privacy; Email Investigations
Lectures
Reading
- S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure [doi link] [local copy]
- S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet [doi link] [local copy]
Optional reading
- Lawful hacking and the case for a strategic approach to “Going Dark”
- “Don’t Panic”: Making Progress on the “Going Dark” Debate
- Email header forensics
- SMTP
Unit 8: Malware and Windows Artifacts
- Malware and Related Legal Issues (The Trojan Horse defense)
- Windows Artifacts
Lectures
Reading
- S. Brenner et al., The Trojan Horse Defense in Cybercrime Cases [link] [local copy]
- H. Carvey, Windows Forensic Analysis, available through UMass Library online (as are other relevant titles)
- J. Barbara, Windows 7 Registry Forensics (seven-part series, starting here)
- https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf
Optional reading
- S. Brenner on the Trojan Horse Defense
(The last few units may change as a result of course content updates.)
Unit 9: Cell Phone Forensics
Lectures
Reading
- S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
- R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
- S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]
Optional reading
- http://www.toolwar.com/2014/04/scalpel-data-carving-tools.html
- https://github.com/sleuthkit/scalpel
- https://github.com/simsong/bulk_extractor
Unit 10: Miscellanea
- Image Analysis
- Storage Technology
- Practicalities of Expert Witnessing
Lectures
Optional reading
- Rapid Object Detection using a Boosted Cascade of Simple Features, the Viola-Jones paper on real-time object (like face) detection from 2001, is a relatively approachable description of the technique we covered in lecture.
-
Neural Networks and Deep Learning, which is my absolute favorite introduction to how CNNs actually work (like, the math as well as the code). Absolutely worthwhile, totally followable if you’ve had calculus and 240 or the like. Do some self-study this summer, especially if you plan to do ML or AI!
- https://en.wikipedia.org/wiki/Magnetic_storage
- https://en.wikipedia.org/wiki/Solid-state_drive
-
https://belkasoft.com/en/ssd-2014 (or https://belkasoft.com/download/info/SSD%20Forensics%202014.pdf)
-
Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley. (available from WorldCat)
- My Cousin Vinny [imdb link]
- Affadavit from Jayson Street (an example of an expert witness’s output) [pdf]
Final Exam
Our exam is scheduled for:
May 09, 2018
Wednesday
10:30am–12:30pm
Hasbrouck Addition Laboratory 124
Please note (from the Academic Rules and Regulations):
…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.