Syllabus

Welcome

In this course, each voice in the classroom has something of value to contribute. Please take care to respect the different experiences, beliefs and values expressed by students and staff involved in this course. My colleagues and I support UMass’s commitment to diversity, and welcome individuals regardless of age, background, citizenship, disability, sex, education, ethnicity, family status, gender, gender identity, geographical origin, language, military experience, political views, race, religion, sexual orientation, socioeconomic status, and work experience.

View this syllabus as a guide to the course. It provides important information regarding the course, its assignments, policies, grading, and available university resources. You should refer to it regularly. However, this document should be considered a working document. It is possible throughout the semester that a topic may take more time than expected, topics or assignments may change, and so on. If that is the case, the syllabus and/or schedule will be updated and a revised version will be posted (here) on the course web site.

Course overview

Description: The goal of forensics is to gather artifacts for refinement into evidence that supports or refutes a hypothesis about an alleged crime or policy violation. Done correctly, forensics represents the application of science to law. The techniques can also be abused to thwart privacy. This course is a broad introduction to forensic investigation of digital information and devices. We will cover the acquisition, analysis, and courtroom presentation of information from file systems, operating systems, networks, cell phones, and the like. Students do not need experience with these systems. We will review the use of some professional tools that automate data harvesting, however, the primary goal of the class is to understand why and from where artifacts are recoverable in these systems. Several assignments involve coding forensic tools from scratch. For a small portion of the class, we will cover some relevant issues from the law, privacy, and current events. Thus, the class serves the well-rounded student who is eager to participate in class discussion on a variety of technical and social issues.

Prerequisites: COMPSCI 230. Junior and Senior CS majors only. Others will need to request an override.

What, when, where, who

COMPSCI 365: Digital Forensics
TuTh 10:00am–11:15am
Goessman Lab Room 20

Instructor: Marc Liberatore (please call me “Marc”)
Email: liberato@cs.umass.edu
Phone: 413-545-3061 (on campus: 5-3061)
Office: Computer Science Building, Room 318
Office hours: Monday, 9:30–11:30

TAs

Zhiqi Huang
hgzhiqi@gmail.com
Office hours: Wednesday, 9:30–12:00, CS 207 Cube #1

Varun Sharma
varunsharma@umass.edu
Office hours: Tuesday, 1:30–3:30, CS 207 Cube #4

Required materials

There is one required textbook for this class from which many readings will be assigned: Brian Carrier’s File System Forensic Analysis. Most other readings will be provided by the instructor or be available online through the UMass Library system (when logged in or on a campus network).

Code of conduct

  • The course staff are committed to providing a friendly, safe and welcoming environment for all, regardless of level of experience, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, nationality, or other similar characteristic.
  • Please be kind and courteous. There’s no need to be mean or rude.
  • Respect that people have differences of opinion and that differing approaches to problems in this course each carry a trade-off and numerous costs. There is seldom a single right answer to complicated questions.
  • Please keep unstructured critique to a minimum. Criticism should be constructive.
  • We will informally warn you, once, if you insult, demean or harass anyone. That is not welcome behavior. After that we will report your behavior to the Dean of Students office. We interpret the term “harassment” as including the definition in the Citizen Code of Conduct under “Unacceptable Behavior”; if you have any lack of clarity about what might be included in that concept, please read their definition. In particular, we don’t tolerate behavior that excludes people in socially marginalized groups.
  • Private harassment is also unacceptable. No matter who you are, if you feel you have been or are being harassed or made uncomfortable by a member of this class, please contact a member of the course staff immediately (or if you do not feel safe doing so, you should contact the Chair of the Faculty of CICS, currently Prof. James Allan, allan@cs.umass.edu, or the Dean of Students office). Whether you’ve been at UMass for years or are a newcomer, we care about making this course a safe place for you and we’ve got your back.
  • Likewise any spamming, trolling, flaming, baiting or other attention-stealing behavior is not welcome.

(Partially drawn from the Rust Code of Conduct.)

Communication policy

Per the University Email Policy, you are expected to check your email regularly – at least once a day. I will use your UMass email address as your point of contact in all online tools we use (Moodle, Piazza, and Gradescope) and as my primary means to contact you individually outside of class. Group announcement will be posted to Piazza, which by default will send you via email whenever an instructor makes a post.

If you send the course staff email, please include “COMPSCI 365” in the subject line to make sure we answer them in a timely fashion. For course-content related questions (especially questions that other students might benefit from seeing the answers to), please use Piazza. For other questions, email is best, but please check the syllabus and course web site before emailing the course staff.

Course staff typically respond to emails and Piazza questions within about one business day, but I (Marc) do not typically respond to communications after about 5pm or on weekends. Course staff tend to get a high volume of email when a deadline is approaching. If you contact us at least two full business days before an exam or deadline, you are guaranteed a reply before the exam or deadline. Otherwise we’ll do our best, but no guarantees.

Piazza

Piazza is a online discussion management system. It will be used as the main hub for questions and answers in this course. Piazza is a great tool but it can be abused. Please follow these guidelines in your use of Piazza to avoid abusing it:

  • You should use Piazza to ask questions and get advice on assignments. But you should not use Piazza to step through each problem you encounter in an assignment.
  • You may not post assignment solutions to Piazza, either in questions or answers to others’ questions.
  • If you must post code you are working on, you should do so only through private posts to the course instructors.
  • You should not post code without a thoughtful and articulate question. Do not post code and ask only, “what is wrong with my code?” See, for example, http://stackoverflow.com/help/how-to-ask or https://jvns.ca/blog/good-questions/ for constructive advice on asking questions.
  • You are encouraged to help other students by answering questions.

The course staff will monitor Piazza and answer your questions in a timely manner (generally within a business day or two). But do not expect us to provide real-time answers on Piazza, especially in the last few hours before an assignment is due!

If a question has already been answered in a previous post we may not respond to you. If a question does not follow the guidelines above we may not answer it. If we find that a private question is relevant to a larger audience, we may make mark it public to help others in the course.

Time management and what to expect

As a general guideline, the university suggests that students spend an additional two to three hours outside of class time per credit hour. This is a three-credit course, therefore you should plan to spend six to nine hours a week on this class outside of lecture.

In a typical week, you will attend two lectures, complete a homework assignment which may involve significant reading, writing, and/or programming, and complete the assigned reading.

Schedule

Please see the course web site for a class-by-class schedule; the topics will be approximately as follows, though there may be some adjustments as the semester goes on:

Weeks 1 & 2: Introduction to Forensics
Weeks 2, 3, 4: Data Representation, Carving Data, EXIF (midterm 1 around here, see assignments page for exact date)
Week 5: Criminal Law and Forensics
Week 6: Network Investigations I
Week 7: Volume Acquisition, Parsing MBRs and GPTs
Week 8: Parsing FAT
Week 9 & 10: Parsing NTFS (midterm 2 around here)
Week 11: Network Investigations II
Week 12: Malware, Windows Artifacts
Week 13: Various (in the past: cell phone forensics; how spinning platter magnetic hard drives work; how flash storage works; how to be an expert witness)

Final Exam: as scheduled by registrar

Grading criteria

The relative value of the various course components is approximately as follows:

65% Assignments
20% Midterms
15% Final exam

The numerical cutoff for final course letter grade assignment will be made after all grading is completed. As a rough guide, expect to require at least a 93 to get an A, a 90 to get an A-, an 87 to get a B+, an 83 to get a B, an 80 to get a B-, and so on.

There are no unannounced opportunities for extra credit in this course; do not ask.

There is a 1/4 penalty per day (or fraction thereof) that an assignment is late. One day late means a score is scaled to 2/4 of its original value; two days late, to 1/2, three days, 1/4, and work later than three days late is not accepted. If you need an individual extension due to calamity (illness, trauma, death in the family, etc.), I will require documentation of the calamity.

I will retain all graded materials for this course until the end of next semester. If you wish to review them, please come to see me during office hours (or make an appointment).

You are responsible for monitoring your grades. Grades will be available through Moodle (though note that some will be available in Gradescope first) and you should check them regularly and review any provided feedback. If you encounter any issues with your grades, you will have one week past the first posting of a particular assignment’s grade to Moodle to contact the course staff so that we can investigate. Please contact us via a private message on Piazza. We will not generally accept questions about an individual assignment’s grade beyond this one week, so you must be prompt.

Assignments

The majority of the workload in this course will consist of take-home assignments. These assignments will involve writing, programming, or both. Written assignments will have a series of questions, and will require that you understand basic legal and technical concepts to answer them correctly. Some written assignments will require detailed analyses (for example, reasoning about a particular technology in the context of a law). Programming assignments will typically involve implementing a forensic tool from scratch using Python. Assignments are generally not collaborative: you must complete them on your own. Exceptions to this rule will be clearly noted.

We plan to give about 12 assignments (depending upon how written and programming assignments are broken up or combined into single assignments).

Each assignment will contribute a stated number of points toward the “Assignments” portion of your course grade. Each assignment may be worth a different amount of points.

Attempts to manipulate, game, or otherwise incorrectly use the autograder will be treated as academic dishonesty.

Midterms and exams

There will be two equally-weighted in-class midterms.

There will also be a cumulative final exam. You must achieve a passing grade on the final exam to pass the class.

Please note (from the Academic Rules and Regulations):

…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.

You may not bring supplemental material to the midterms or final exam, that is, they are closed-book, and the use of notes, calculators, computers, phones, etc., is forbidden, unless otherwise explicitly stated.

Exams must be completed on your own: they are not collaborative!

Attendance

I expect you to attend lectures (and exams!).

  • If you will be absent (either from class, or from an exam) due to religious reasons, you must provide me with a written list of such dates within one week of your enrollment in the course.
  • If you will be absent for a University-related event, such as an athletic event, field trip, or performance, you must notify me as soon as possible.
  • If you are absent for health reasons, I expect you to notify me as soon as possible and provide written documentation.
  • If you are absent for other extenuating non-academic reasons, such as a military obligation, family illness, jury duty, automobile collision, etc., I expect you to notify me as soon as possible and provide written documentation.

If you must miss a quiz or exam for a documented, excusable reason, I will work with you to find an acceptable time for you to take a makeup. If you miss an exam without prior notice, I will require an explanation and clear written documentation in order to judge whether the absence is excusable.

Incompletes

Incompletes will be granted only in exceptional cases, and only if you have completed at least half the course with a passing grade. Prior to that, withdrawal is the recommended course of action.

Technology in the classroom

At the start of the semester, I will permit laptops and the like in the classroom. If it becomes clear that they are being used for purposes not directly related to the class, I will ban them. It is unfair to distract other students with Facebook feeds, animated ads, and the like.

Regardless, I recommend taking notes by hand. Research suggests that students who take written notes in class significantly outperform students who use electronic devices to take notes.

Offensive topics and materials

This class will occasionally involve discussion of real-life court cases and criminal scenarios. You may find some topics of discussion distasteful, offensive, disturbing, and shocking, which is atypical for Computer Science. For example, we may discuss true and hypothetical scenarios and cases of child sexual exploitation, adult pornography, homicide, and other violent crimes. You are welcome to sit out for any discussion if you feel uncomfortable, no questions asked, no need to ask ahead of time. I will try to keep all discussions at a high level and to give clear warning when we’re about to discuss potentially offensive material (and you should do the same) but it is inevitable that there will be some frank discussion in lecture, and some court decisions referenced or read will contain candid language.

Academic honesty

General academic honesty statement

Since the integrity of the academic enterprise of any institution of higher education requires honesty in scholarship and research, academic honesty is required of all students at the University of Massachusetts Amherst. Academic dishonesty is prohibited in all programs of the University. Academic dishonesty includes but is not limited to: cheating, fabrication, plagiarism, and facilitating dishonesty. Appropriate sanctions may be imposed on any student who has committed an act of academic dishonesty. Instructors should take reasonable steps to address academic misconduct. Any person who has reason to believe that a student has committed academic dishonesty should bring such information to the attention of the appropriate course instructor as soon as possible. Instances of academic dishonesty not related to a specific course should be brought to the attention of the appropriate department Head or Chair. Since students are expected to be familiar with this policy and the commonly accepted standards of academic integrity, ignorance of such standards is not normally sufficient evidence of lack of intent.

Please read the UMass Academic Honesty Policy.

Course-specific academic honesty information

Academic dishonesty is usually the result of other problems in school. Please come see me or the TA if you are unable to keep up with the work for any reason and we will do our best to work something out. I want to see you succeed, but I will not tolerate academic dishonesty.

Investigating academic dishonesty is an unpleasant experience for both the instructor and the student. Please help me by avoiding any questionable behavior.

What is permitted and what is not? You may discuss material with others, but when collaboration is forbidden (as it is on programming assignments), your writing (code and prose) must be your own.

The surest way to avoid problems is as follows: When discussing problems with others, do not show any of your solution (code or otherwise) to others. In particular, do not sit down and start typing on a classmate’s laptop, do not allow a classmate to type on yours, and don’t act as a dictation machine (where a classmate sitting next to you tells you what to type).

When asking others for help, avoid taking detailed notes about the solution – you want to avoid doing a copy/paste, whether it be on a computer screen or using pen and paper.

When you ask for help, either in person or on Piazza, it’s good practice to ask your question by describing the problem you’re having, or using a small synthetic example that illustrates your difficulty. If you must include a large chunk of your code to ask your question on Piazza, mark it as a “private” question, and only the course staff will be able to see it.

When searching for the answer online: Don’t. Just don’t.

Do not provide your solutions to others, either directly or via some sort of public posting, except when collaboration is explicitly permitted and when both you and the other person are currently enrolled in this course. Publicly or privately redistributing solutions to exercises, homeworks, or assignments for this course is a violation of the University Honesty Policy’s prohibition against facilitating academic dishonesty.

Copying and pasting code from another student or a third party is a violation of academic honesty, and we will endeavor to detect this by any means available to us, including automated similarity analysis of submitted assignments. Be aware that if something looks like academic dishonesty to us, we will treat it as such, unless you can provide strong evidence to the contrary. When in doubt, it is your responsibility to contact the course staff about whether a potential action would be considered academic dishonesty.

Other academic regulations

The Office of the Registrar publishes Academic Regulations yearly. You should be familiar with them. Particularly relevant are the policies on attendance, absences due to religious observance, and examinations.

Accommodation statement

The University of Massachusetts Amherst is committed to providing an equal educational opportunity for all students. If you have a documented physical, psychological, or learning disability on file with Disability Services (DS), you may be eligible for reasonable academic accommodations to help you succeed in this course. If you have a documented disability that requires an accommodation, please notify me within the first two weeks of the semester so that we may make appropriate arrangements.

A word about putting your solutions on GitHub, GitLab, BitBucket, etc.

Per the course-specific academic honesty policy, you are not permitted to make your solutions to the assignments in this class available to others. This includes reposting them to public GitHub repositories (or other service where another student might plausibly see them).

A word about copyrights

Most of the material (lecture notes, lectures, assignments, and so on) in this course is original work created by the instructor (Marc Liberatore); exceptions are clearly noted (for example, I am not Brian Carrier and did not write the textbook!). While you are welcome to use the material for your own personal and educational use, you may not redistribute these materials to others outside the class. In particular, selling or otherwise redistributing your notes (or mine!), making or selling audio, video, or still recordings of course material, is not allowed without express written permission from me.

I make this stuff available on the web for you to use easily and without the hassle of sign-ups, logins, and the like, not for you to abuse for a buck. As Carol Barr (Senior Vice Provost and Dean of Undergraduate Education) and Enku Gelaye (Vice Chancellor for Student Affairs and Campus Life) noted at the start of the Fall 2017 semester, usage of notes or in-class recordings without the faculty member’s permission is a violation of the faculty member’s copyright protection.