Schedule
This page is a schedule of topics and readings. Lecture notes up before class are drafts, and may be updated sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).
Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule and the notes as the semester progresses.
Assignments and due dates are listed separately.
Unit 1: Intro
Topics
- Basics of Forensics
- A Motivating Example
- Data Representation
- Brief Introduction to Python for Forensics
Lectures
Reading
Carrier, Chapter 1 (and optionally start 3)
Other optional readings and resources
- On ASCII and Unicode:
- On Python:
- https://docs.python.org/3.6/ (in particular, the tutorial and first few chapters of the library reference)
- https://learnxinyminutes.com/docs/python3/
- http://www.diveintopython3.net/index.html
- On classes of evidence:
Unit 2: Carving and Exif
- Carving Data from Files
- Metadata in Data: EXIF as a case study
Lectures
Reading
Carrier, Chapter 2
Other optional readings and resources
- Handout 1: Data Representation
- UTF-8
- UTF-16
- Exif Specification
- Description of the Exif file format
- ITU-T Recommendation T.81 (JPEG)
- the Jupyter notebook from Lecture 06. I strongly recommend you try to write the code for the corresponding assignment without copy/pasting from this notebook. For future work I won’t spend as much (or any) time writing the Python for parsing in class. Start practicing now!
Unit 3: Forensic Science and Law
- Criminal/Legal Forensics
- Forensics is science applied to law (G. Sapir, Daubert)
- Contraband and knowing possession (G. Marin)
- Indicia of intent (T. Howard)
Lectures
Reading
- G. Sapir, Qualifying the Expert Witness
- G. Marin, Possession of Child Pornography: Should You be Convicted When the Computer Cache Does the Saving for You? (Note: don’t be an idiot! This article and others we’ll read discuss methods of downloading from the Internet materials related to child sexual exploitation. Enrollment in this class is never authorization to break any laws. Do not even search for keywords related to child pornography, and certainly don’t download any materials. You could end up in court or jail for a long time and ruin your entire life.)
- T. Howard, Don’t Cache Out Your Case: Prosecuted Child Pornography Possession Laws Based on Images Located in Temporary Internet Files
Other optional readings and resources
- The Daubert Trilogy:
Unit 4: Network Investigations I
- NITs and Tor
Lectures
Reading
- Hennessey and Weaver, A Judicial Framework for Evaluating Network Investigative Techniques
Other optional readings and resources
- Tor: Overview
- Tor: Hidden Service Protocol
- Orin Kerr, Government ‘hacking’ and the Playpen search warrant
- Orin Kerr, Remotely accessing an IP address inside a target computer is a search
- Remote, Durable Proof of Possession: B. Levine et al., Efficient Tagging of Remote Peers During Child Pornography Investigations (this is the journal version of an earlier 2010 paper)
Unit 5: Volumes, Partitions, and FAT
- Disk Image Acquisition
- Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
- FAT Filesystems
Lectures
- 09: Acquisition, Volumes, MBRs
- 10: GPTs, Intro to the FAT filesystem
- 11: FATs and Directory Entries
- 12: Parsing FAT
Reading
- Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
- Carrier, Chapter 8, 9, 10
Optional reading
Volumes and partitions:
- https://en.wikipedia.org/wiki/Master_boot_record
- https://en.wikipedia.org/wiki/Partition_type
- https://en.wikipedia.org/wiki/Cylinder-head-sector
- https://en.wikipedia.org/wiki/GUID_Partition_Table
FAT:
Unit 6: NTFS
- NTFS Filesystems
Lectures
- 13: Introduction to NTFS
- 14: More on NTFS
- 14B: NTFS in Python (no notes, just some livecoding)
Reading
- Carrier, Chapter 11, 12, 13
Optional reading
Unit 7: Network Investigations II; Malware and Windows Artifacts
- Wiretapping Technology and Privacy; Email Investigations
- Malware and Related Legal Issues (The Trojan Horse defense)
- Windows Artifacts
Lectures
- 15: “Going Dark”
- 16: Email, The Trojan Horse Defense
- 17: Intro to Windows Forensics
- 18: More Windows Forensics
Reading
- S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure [doi link] [local copy]
- S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet [doi link] [local copy]
- S. Brenner et al., The Trojan Horse Defense in Cybercrime Cases [link] [local copy]
- H. Carvey, Windows Forensic Analysis, available through UMass Library online (as are other relevant titles)
- J. Barbara, Windows 7 Registry Forensics (seven-part series, starting here)
- https://blogs.sans.org/computer-forensics/files/2012/06/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf
Optional reading
- Lawful hacking and the case for a strategic approach to “Going Dark”
- “Don’t Panic”: Making Progress on the “Going Dark” Debate
- Email header forensics
- SMTP
- S. Brenner on the Trojan Horse Defense
(The last few units may change as a result of course content updates.)
Unit 8: Cell Phone Forensics
Lectures
Reading
- S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
- R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
- S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]
Optional reading
- http://www.toolwar.com/2014/04/scalpel-data-carving-tools.html
- https://github.com/sleuthkit/scalpel
- https://github.com/simsong/bulk_extractor
Unit 9: Miscellanea
- Memory Forensics
- Image Analysis
- Practicalities of Expert Witnessing
Lectures
Optional reading / links
- a Volatility profile for Ubuntu 18.04 Server
- a memory image (note: compressed with
lzip
, you’ll need to decompress it) for an Ubuntu 18.04 Server instance (from class) - https://github.com/volatilityfoundation/volatility/
- https://github.com/volatilityfoundation/volatility/wiki/Linux
- https://en.wikipedia.org/wiki/System.map
-
Rapid Object Detection using a Boosted Cascade of Simple Features, the Viola-Jones paper on real-time object (like face) detection from 2001, is a relatively approachable description of the technique we covered in lecture.
- OpenCV, the open-source computer vision package I demoed in class.
- MDB-WIKI – 500k+ face images with age and gender labels, the source for the age estimator I demoed in class.
- Neural Networks and Deep Learning, which is my absolute favorite introduction to how CNNs actually work (like, the math as well as the code). Somewhat explains the “magic,” or at least, gives a basis for it. Absolutely worthwhile, totally followable if you’ve had calculus and 240 or the like. Do some self-study this summer, especially if you plan to do ML or AI!
- Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley. (available from WorldCat)
- My Cousin Vinny [imdb link] (available on DVD from the UMass Library)
- Affadavit from Jayson Street (an example of an expert witness’s output) [pdf]
Final Exam
Our exam is scheduled for:
May 08, 2018
Wednesday
10:30am–12:30pm
Goessman Lab room 20