Schedule
This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).
Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.
Assignments and due dates are listed separately.
Unit 1: Introduction
Lectures
Required reading
- Digital Forensics Research: The Next 10 Years https://www.dfrws.org/sites/default/files/session-files/paper-digital_forensics_research_-_the_next_10_years.pdf
Optional / supplemental reading
- Digital Forensics on Wikipedia
Unit 2: Carving, fragment recovery
Lectures
Required reading
- Carving Contiguous and Fragmented Files with Object Validation https://dfrws.org/sites/default/files/session-files/paper-carving_contiguous_and_fragmented_files_with_object_validation.pdf
- Identification and Recovery of JPEG Files with Missing Fragments https://www.dfrws.org/sites/default/files/session-files/paper-identification_and_recovery_of_jpeg_files_with_missing_fragments.pdf
- Reconstructing Corrupt DEFLATEd Files https://dfrws.org/sites/default/files/session-files/paper-reconstructing_corrupt_deflated_files.pdf
Optional / supplemental reading
- JPEG
- DEFLATE
- RFC 1951: DEFLATE Compressed Data Format
- Improved Recovery and Reconstruction of DEFLATEd Files https://www.dfrws.org/sites/default/files/session-files/pers-improved_recovery_and_reconstruction_of_deflated_files.pdf
- the ZipRec source code
Unit 3: Hashing, streaming, sampling, and parallelism
Lectures
Required reading
- Using Purpose-Built Functions And Block Hashes To Enable Small Block And Sub-File Forensics https://www.dfrws.org/sites/default/files/session-files/paper-using_purpose-built_functions_and_block_hashes_to_enable_small_block_and_sub-file_forensics.pdf
- Identifying Almost Identical Files Using Context Triggered Piecewise Hashing https://www.dfrws.org/sites/default/files/session-files/paper-identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
- Data Fingerprinting with Similarity Digests http://dl.ifip.org/db/conf/ifip11-9/df2010/Roussev10.pdf
Optional / supplemental reading
- the ssdeep project
- sdhash and its GitHub page
- An Evaluation of Forensic Similarity Hashes https://www.dfrws.org/sites/default/files/session-files/paper-an_evaluation_of_forensic_similarity_hashes.pdf
Unit 4: Filesystems
Lectures
Required reading
- Digital Forensic Implications of ZFS https://dfrws.org/sites/default/files/session-files/paper-digital_forensic_implications_of_zfs.pdf
- Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis https://www.dfrws.org/sites/default/files/session-files/paper_extending_the_sleuth_kit_and_its_underlying_model_for_pooled_storage_file_system_forensic_analysis.pdf
Optional / supplemental reading
- Probably the best one-stop shop for FAT, NTFS, and Ext2/3 is the optional textbook for this class, Carrier’s File System Forensic Analysis; I suggest looking over the relevant chapters.
- You may also find the relevant lecture notes from COMPSCI 365 useful for FAT and NTFS.
- The Linux NTFS Documentation
- As usual, Wikipedia has a general but dry introduction to each:
Unit 5: Network forensics
Lectures
- 12: Intro to Network Forensics
- 13: BitTorrent Redux
- 14: OneSwarm
- 15: Freenet
- 16: Statistical Detection of Downloaders in Freenet (guest lecture, no notes)
Required reading
- Forensic Investigation of Peer-to-Peer File Sharing Networks
- Forensic Identification of Anonymous Sources in OneSwarm
- Statistical Detection of Downloaders in Freenet
Optional / supplemental reading
- One of many Bittorrent Specifications
- The original OneSwarm paper provides some more background on that system:Privacy-preserving P2P data sharing with OneSwarm
- The original Freenet paper provides some more background on that system: Freenet: A Distributed Anonymous Information Storage and Retrieval System (though it is somewhat outdated, the basic concepts remain the same), as does the project web site: https://freenetproject.org
Unit 6: Cloud and IoT
Lectures
Required reading
None this week, but you almost certainly want to at least flip through the optional reading!
Optional / supplemental reading
- Cloud Forensics 2018
- https://github.com/google/turbinia
- Forensic analysis of cloud-native artifacts
- Cloudian, etc.
- IoT data in the cloud: https://www.dfrws.org/sites/default/files/session-files/pres_iot_4n6_the_growing_impact.pdf
Unit 7: Mobile / Cell phone forensics
Lectures
Required reading
- Forensic Triage for Mobile Phones with DEC0DE
- Efficient Smart Phone Forensics Based on Relevance Feedback
Unit 8: RAM forensics, reverse engineering, (bonus: image processing)
Lectures
- 19: Intro to Memory Forensics
- (off schedule) 20: Face Detection and Age Estimation
- 21: Reverse Engineering
Optional / supplemental reading
- a Volatility profile for Ubuntu 18.04 Server
- a memory image (note: compressed with
lzip
, you’ll need to decompress it) for an Ubuntu 18.04 Server instance (from class) - https://github.com/volatilityfoundation/volatility/
- https://github.com/volatilityfoundation/volatility/wiki/Linux
- https://en.wikipedia.org/wiki/System.map
- https://github.com/python/cpython/tree/2.7/Objects
- Rapid Object Detection using a Boosted Cascade of Simple Features, the Viola-Jones paper on real-time object (like face) detection from 2001, is a relatively approachable description of the technique we covered in lecture.
- OpenCV, the open-source computer vision package I demoed in class.
- MDB-WIKI – 500k+ face images with age and gender labels, the source for the age estimator I demoed in class.
- Neural Networks and Deep Learning, which is my absolute favorite introduction to how CNNs actually work (like, the math as well as the code). Somewhat explains the “magic,” or at least, gives a basis for it. Absolutely worthwhile, totally followable if you’ve had calculus and 240 or the like. Do some self-study this summer, especially if you plan to do ML or AI!
- https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
- http://www.skyfree.org/linux/references/ELF_Format.pdf
- x86 assembly crash course
- An Intro to x86_64 Reverse Engineering
- NoraCodes Crackmes
Final Exam
Our exam is scheduled for:
Thursday, May 9th, at 1pm in CS 140 (our regular classroom).
Please note (from the Academic Rules and Regulations):
…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.