Schedule

This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.

Assignments and due dates are listed separately.

Unit 1: Introduction

Lectures

• 01: Introduction
• 02: Survey / Intro to Carving

Required reading

• Digital Forensics Research: The Next 10 Years https://www.dfrws.org/sites/default/files/session-files/paper-digital_forensics_research_-_the_next_10_years.pdf

Optional / supplemental reading

• Digital Forensics on Wikipedia

Unit 2: Carving, fragment recovery

Lectures

• 03: Carving
• 04: JPEG Recovery
• 05: DEFLATE

Required reading

• Carving Contiguous and Fragmented Files with Object Validation https://dfrws.org/sites/default/files/session-files/paper-carving_contiguous_and_fragmented_files_with_object_validation.pdf
• Identification and Recovery of JPEG Files with Missing Fragments https://www.dfrws.org/sites/default/files/session-files/paper-identification_and_recovery_of_jpeg_files_with_missing_fragments.pdf
• Reconstructing Corrupt DEFLATEd Files https://dfrws.org/sites/default/files/session-files/paper-reconstructing_corrupt_deflated_files.pdf

Optional / supplemental reading

• JPEG
• DEFLATE
• RFC 1951: DEFLATE Compressed Data Format
• Improved Recovery and Reconstruction of DEFLATEd Files https://www.dfrws.org/sites/default/files/session-files/pers-improved_recovery_and_reconstruction_of_deflated_files.pdf
• the ZipRec source code

Unit 3: Hashing, streaming, sampling, and parallelism

Lectures

• 06: Small Block Hashing
• 07: Contextual Hashing
• 08: Similarity Digests

Required reading

• Using Purpose-Built Functions And Block Hashes To Enable Small Block And Sub-File Forensics https://www.dfrws.org/sites/default/files/session-files/paper-using_purpose-built_functions_and_block_hashes_to_enable_small_block_and_sub-file_forensics.pdf
• Identifying Almost Identical Files Using Context Triggered Piecewise Hashing https://www.dfrws.org/sites/default/files/session-files/paper-identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
• Data Fingerprinting with Similarity Digests http://dl.ifip.org/db/conf/ifip11-9/df2010/Roussev10.pdf

Optional / supplemental reading

• the ssdeep project
• sdhash and its GitHub page
• An Evaluation of Forensic Similarity Hashes https://www.dfrws.org/sites/default/files/session-files/paper-an_evaluation_of_forensic_similarity_hashes.pdf

Unit 4: Filesystems

Lectures

• 09: FAT and NTFS
• 10: Ext2/3/4
• 11: ZFS

Required reading

• Digital Forensic Implications of ZFS https://dfrws.org/sites/default/files/session-files/paper-digital_forensic_implications_of_zfs.pdf
• Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis https://www.dfrws.org/sites/default/files/session-files/paper_extending_the_sleuth_kit_and_its_underlying_model_for_pooled_storage_file_system_forensic_analysis.pdf

Optional / supplemental reading

• Probably the best one-stop shop for FAT, NTFS, and Ext2/3 is the optional textbook for this class, Carrier’s File System Forensic Analysis; I suggest looking over the relevant chapters.
• You may also find the relevant lecture notes from COMPSCI 365 useful for FAT and NTFS.
• The Linux NTFS Documentation
• As usual, Wikipedia has a general but dry introduction to each:
  • FAT
  • NTFS
  • Ext2 / Ext3 / Ext4
  • ZFS

Unit 5: Network forensics

Lectures

• 12: Intro to Network Forensics
• 13: BitTorrent Redux
• 14: OneSwarm
• 15: Freenet
• 16: Statistical Detection of Downloaders in Freenet (guest lecture, no notes)

Required reading

• Forensic Investigation of Peer-to-Peer File Sharing Networks
• Forensic Identification of Anonymous Sources in OneSwarm
• Statistical Detection of Downloaders in Freenet

Optional / supplemental reading

• One of many Bittorrent Specifications
• The original OneSwarm paper provides some more background on that system:Privacy-preserving P2P data sharing with OneSwarm
• The original Freenet paper provides some more background on that system: Freenet: A Distributed Anonymous Information Storage and Retrieval System (though it is somewhat outdated, the basic concepts remain the same), as does the project web site: https://freenetproject.org

Unit 6: Cloud and IoT

Lectures

• 17: Cloud Forensics

Required reading

None this week, but you almost certainly want to at least flip through the optional reading!

Optional / supplemental reading

• Cloud Forensics 2018
• https://github.com/google/turbinia
• Forensic analysis of cloud-native artifacts
• Cloudian, etc.
• IoT data in the cloud: https://www.dfrws.org/sites/default/files/session-files/pres_iot_4n6_the_growing_impact.pdf

Unit 7: Mobile / Cell phone forensics

Lectures

• 18: Phone forensic triage

Required reading

• Forensic Triage for Mobile Phones with DEC0DE
• Efficient Smart Phone Forensics Based on Relevance Feedback

Unit 8: RAM forensics, reverse engineering, (bonus: image processing)

Lectures

• 19: Intro to Memory Forensics
• (off schedule) 20: Face Detection and Age Estimation
• 21: Reverse Engineering

Optional / supplemental reading

• a Volatility profile for Ubuntu 18.04 Server
• a memory image (note: compressed with lzip, you’ll need to decompress it) for an Ubuntu 18.04 Server instance (from class)
• https://github.com/volatilityfoundation/volatility/
• https://github.com/volatilityfoundation/volatility/wiki/Linux
• https://en.wikipedia.org/wiki/System.map
• https://github.com/python/cpython/tree/2.7/Objects
• Rapid Object Detection using a Boosted Cascade of Simple Features, the Viola-Jones paper on real-time object (like face) detection from 2001, is a relatively approachable description of the technique we covered in lecture.
• OpenCV, the open-source computer vision package I demoed in class.
• MDB-WIKI – 500k+ face images with age and gender labels, the source for the age estimator I demoed in class.
• Neural Networks and Deep Learning, which is my absolute favorite introduction to how CNNs actually work (like, the math as well as the code). Somewhat explains the “magic,” or at least, gives a basis for it. Absolutely worthwhile, totally followable if you’ve had calculus and 240 or the like. Do some self-study this summer, especially if you plan to do ML or AI!
• https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
• http://www.skyfree.org/linux/references/ELF_Format.pdf
• x86 assembly crash course
• An Intro to x86_64 Reverse Engineering
• NoraCodes Crackmes

Final Exam

Our exam is scheduled for:

Thursday, May 9th, at 1pm in CS 140 (our regular classroom).

Please note (from the Academic Rules and Regulations):

…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.