Schedule

This page is a schedule of topics and readings.

The linked readings are here for your convenience, but the graded reading response must be done through Perusall via the course Moodle link.

Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, and not a replacement for, attending class and taking your own notes.

This schedule is approximate, and will be updated as the semester progresses.

Unit 1: Introduction

Lectures

01: Introduction
02: Survey / Intro to Carving

Required reading

Digital Forensics Research: The Next 10 Years https://www.dfrws.org/sites/default/files/session-files/paper-digital_forensics_research_-_the_next_10_years.pdf

Optional / supplemental reading

Digital Forensics on Wikipedia

Unit 2: Carving, fragment recovery

Lectures

03: Carving
04: JPEG Recovery
05: DEFLATE

Required reading

Carving Contiguous and Fragmented Files with Object Validation https://dfrws.org/sites/default/files/session-files/paper-carving_contiguous_and_fragmented_files_with_object_validation.pdf
Identification and Recovery of JPEG Files with Missing Fragments https://www.dfrws.org/sites/default/files/session-files/paper-identification_and_recovery_of_jpeg_files_with_missing_fragments.pdf
Reconstructing Corrupt DEFLATEd Files https://dfrws.org/sites/default/files/session-files/paper-reconstructing_corrupt_deflated_files.pdf

Optional / supplemental reading

JPEG
Unraveling the JPEG
DEFLATE
RFC 1951: DEFLATE Compressed Data Format
Improved Recovery and Reconstruction of DEFLATEd Files https://www.dfrws.org/sites/default/files/session-files/pers-improved_recovery_and_reconstruction_of_deflated_files.pdf
the ZipRec source code
Zip Files: History, Explanation and Implementation

Unit 3: Hashing, streaming, sampling, and parallelism

Lectures

06: Small Block Hashing
07: Contextual Hashing
08: Similarity Digests
09: Perceptual Hashing

Required reading

Using Purpose-Built Functions And Block Hashes To Enable Small Block And Sub-File Forensics https://www.dfrws.org/sites/default/files/session-files/paper-using_purpose-built_functions_and_block_hashes_to_enable_small_block_and_sub-file_forensics.pdf
Identifying Almost Identical Files Using Context Triggered Piecewise Hashing https://www.dfrws.org/sites/default/files/session-files/paper-identifying_almost_identical_files_using_context_triggered_piecewise_hashing.pdf
Data Fingerprinting with Similarity Digests http://dl.ifip.org/db/conf/ifip11-9/df2010/Roussev10.pdf
Looks Like It and Kind of Like That, the most readable introduction to perceptual hashing I could find; most of the academic literature is similar, but relies on details of image processing that are way out of scope for this course.

Optional / supplemental reading

the ssdeep project
sdhash and its GitHub page
An Evaluation of Forensic Similarity Hashes https://www.dfrws.org/sites/default/files/session-files/paper-an_evaluation_of_forensic_similarity_hashes.pdf
Perceptual hashing
imagehash, a python library that implements simple perceptual hashing
The only web-visible documentation on PhotoDNA I’ve found

Unit 4: Filesystems

Lectures

10: Volumes and FAT
11: NTFS
12: Ext2/3/4
13: ZFS

Required reading

Digital Forensic Implications of ZFS https://dfrws.org/sites/default/files/session-files/paper-digital_forensic_implications_of_zfs.pdf
Extending The Sleuth Kit and its underlying model for pooled storage file system forensic analysis https://www.dfrws.org/sites/default/files/session-files/paper_extending_the_sleuth_kit_and_its_underlying_model_for_pooled_storage_file_system_forensic_analysis.pdf

Optional / supplemental reading

Probably the best one-stop shop for volume management, FAT, NTFS, and Ext2/3 is the optional textbook for this class, Carrier’s File System Forensic Analysis; I suggest looking over the relevant chapters.
You may also find the relevant lecture notes from COMPSCI 365 useful for FAT and NTFS.
The Linux NTFS Documentation
ZFS On-Disk Specification
ZFS On Linux documentation
As usual, Wikipedia has a general but dry introduction to each:
- Master boot records
- GUID partition table
- FAT
- NTFS
- Ext2 / Ext3 / Ext4
- ZFS

Unit 5: Network forensics

Lectures

14: Intro to Network Forensics
15: BitTorrent
16: BitTorrent on the Wire
17: OneSwarm
18: Freenet
19: Statistical Detection of Downloaders in Freenet / Legal Issues in Network Forensics

Required reading

Forensic Investigation of Peer-to-Peer File Sharing Networks
Forensic Identification of Anonymous Sources in OneSwarm
The original Freenet paper provides some more background on that system: Freenet: A Distributed Anonymous Information Storage and Retrieval System (though it is somewhat outdated, the basic concepts remain the same), as does the project web site: https://freenetproject.org
The Illustrated Guide to Law. In particular, read Criminal Procedure, chapters 3, 4, and 5 (The 4th Amendment, Exclusionary Rule, and Warrants and Standing).
US v. Connor, 12-3210 (Sixth Circuit).
US v. Dickerman, 18-3150 (Eight Circuit)
A Forensically Sound Method of Detecting Downloaders in Freenet.

Optional / supplemental reading

One of many Bittorrent Specifications
The original OneSwarm paper provides some more background on that system:Privacy-preserving P2P data sharing with OneSwarm
Statistical Detection of Downloaders in Freenet (Note this is now optional; I will post a copy of our draft update to this paper as required reading.)

Unit 6: Cloud

Lectures

20: Cloud Forensics

Required reading

None this week, but you almost certainly want to at least flip through the optional reading!

Optional / supplemental reading

Unit 7: Other Forensic Topics

Lectures

21: Phone Triage and File Format Reverse Engineering
22: Intro to Memory Forensics
23: Intro to Executable Reverse Engineering

Required reading

Optional reading

Additional material

a Volatility profile for Ubuntu 18.04 Server
a memory image (note: compressed with lzip, you’ll need to decompress it) for an Ubuntu 18.04 Server instance (used in lecture)