COMPSCI 590K: Advanced Digital Forenics Systems | Spring 2020

Syllabus

Welcome

In this course, each voice in the classroom has something of value to contribute. Please take care to respect the different experiences, beliefs and values expressed by students and staff involved in this course. My colleagues and I support UMass’s commitment to diversity, and welcome individuals regardless of age, background, citizenship, disability, sex, education, ethnicity, family status, gender, gender identity, geographical origin, language, military experience, political views, race, religion, sexual orientation, socioeconomic status, and work experience.

View this syllabus as a guide to the course. It provides important information regarding the course, its assignments, policies, grading, and available university resources. You should refer to it regularly. However, this document should be considered a working document. It is possible throughout the semester that a topic may take more time than expected, topics or assignments may change, and so on. If that is the case, the syllabus and/or schedule will be updated and a revised version will be posted (here) on the course web site.

Course overview

Description: This course introduces students to the principal activities and state-of-the-art techniques involved in developing digital forensics systems. Topics covered may include: advanced file carving and reconstruction, forensic analysis of modern filesystems, network forensics, mobile device forensics, memory forensics, and anti-forensics.

Prerequisites: For undergraduates: COMPSCI 365 or 377. Junior and Senior CS majors only. Others will need to request an override. For graduate students: No specific prerequisites, though strong systems knowledge is expected.

What, when, where, who

COMPSCI 590K: Advanced Digital Forensics Systems
TuTh 11:30am–12:45pm
Computer Science Building Room 140

Instructor: Marc Liberatore (please call me “Marc”)
Email: liberato@cs.umass.edu
Phone: 413-545-3061 (on campus: 5-3061)
Office: Computer Science Building, Room 318
Office hours: Monday at 1:30

Required materials

Most readings will be provided by the instructor or be available online through the UMass Library system (when logged in or on a campus network).

There is one optional textbook for this class, Brian Carrier’s File System Forensic Analysis.

Code of conduct

  • The course staff are committed to providing a friendly, safe and welcoming environment for all, regardless of level of experience, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, nationality, or other similar characteristic.
  • Please be kind and courteous. There’s no need to be mean or rude.
  • Respect that people have differences of opinion and that differing approaches to problems in this course each carry a trade-off and numerous costs. There is seldom a single right answer to complicated questions.
  • Please keep unstructured critique to a minimum. Criticism should be constructive.
  • We will informally warn you, once, if you insult, demean or harass anyone. That is not welcome behavior. After that we will report your behavior to the Dean of Students office. We interpret the term “harassment” as including the definition in the Citizen Code of Conduct under “Unacceptable Behavior”; if you have any lack of clarity about what might be included in that concept, please read their definition. In particular, we don’t tolerate behavior that excludes people in socially marginalized groups.
  • Private harassment is also unacceptable. No matter who you are, if you feel you have been or are being harassed or made uncomfortable by a member of this class, please contact a member of the course staff immediately (or if you do not feel safe doing so, you should contact the Chair of the Faculty of CICS, currently Prof. James Allan, allan@cs.umass.edu, or the Dean of Students office). Whether you’ve been at UMass for years or are a newcomer, we care about making this course a safe place for you and we’ve got your back.
  • Likewise any spamming, trolling, flaming, baiting or other attention-stealing behavior is not welcome.

(Partially drawn from the Rust Code of Conduct.)

Communication policy

Per the University Email Policy, you are expected to check your email regularly – at least once a day. I will use your UMass email address as your point of contact in all online tools we use (Moodle and Perusall) and as my primary means to contact you individually outside of class.

If you send the course staff email, please include “COMPSCI 590K” in the subject line to make sure we answer them in a timely fashion. For course-content related questions (especially questions that other students might benefit from seeing the answers to), please use Perusall. For other questions, email may be better, but please check the syllabus and course web site before emailing the course staff.

Course staff typically respond to emails and forum questions within about one business day, but I (Marc) do not typically respond to communications after about 5pm or on weekends. Course staff tend to get a high volume of email when a deadline is approaching. If you contact us at least two full business days before an exam or deadline, you are guaranteed a reply before the exam or deadline. Otherwise we’ll do our best, but no guarantees.

Perusall

Perusall is a online system to facilitate course readings and discussions. Access it via the link on the course Moodle page. All required course readings will be posted there, and you must complete them there to receive credit. It will also be used as the main hub for questions and answers in this course.

How Perusall works

Perusall helps you master readings faster, understand the material better, and get more out of your classes. To achieve this goal, you will be collaboratively annotating the readings with others in your class. The help you’ll get and provide your classmates (even if you don’t know anyone personally) will get you past confusions quickly and will make the process more enjoyable. While you read, you’ll receive rapid answers to your questions, help others resolve their questions (which also helps you learn), and advise the instructor how to make class time most productive. You can start a new annotation thread in Perusall by highlighting text, asking a question, or posting a comment; you can also add a reply or comment to an existing thread. Each thread is like a chat with one or more members of your class, and it happens in real time. Your goals in annotating each reading assignment are to stimulate discussion by posting good questions or comments and to help others by answering their questions.

Research shows that by annotating thoughtfully, you’ll learn more and get better grades, so here’s what “annotating thoughtfully” means: Effective annotations deeply engage points in the readings, stimulate discussion, offer informative questions or comments, and help others by addressing their questions or confusions. To help you connect with classmates, you can “mention” a classmate in a comment or question to have them notified by email (they’ll also see a notification immediately if online), and you’ll also be notified when your classmates respond to your questions.

For each assignment we will evaluate the annotations you submit on time (see below). Based on the overall body of your annotations, you will receive a score for each assignment as follows:

3 = demonstrates exceptionally thoughtful and thorough reading of the entire assignment
2 = demonstrates thoughtful and thorough reading of the entire assignment
1 = demonstrates superficial reading of the entire assignment OR thoughtful reading of only part of the assignment
0 = demonstrates superficial reading of only part of the assignment

How many annotations do I need to enter?

When we look at your annotations we want them to reflect the effort you put in your study of the text. It is unlikely that that effort will be reflected by just a single thoughtful annotation every few pages. On the other extreme, 10 per page is probably too many, unless a number of them are superficial or short comments or questions (which is fine, because it is OK to engage in chat with your peers). Somewhere in between these two extremes is about right and, thoughtful questions or comments that stimulate discussion or thoughtful and helpful answers to other students’ questions will earn you a higher score for the assignment. Note, also, that to lay the foundation for understanding the in-class lectures, you must generally familiarize yourself with each assignment in its entirety. Failing to annotate the entire assignment may result in a lower score.

For examples of annotations and quality, see the document that Perusall provides for scoring examples.

What does “on time” mean?

The work done in class depends on you having done the reading in advance, so it is necessary to complete the reading and post your annotations before the deadline to receive credit.

Time management and what to expect

As a general guideline, the university suggests that students spend an additional two to three hours outside of class time per credit hour. This is a three-credit course, therefore you should plan to spend six to nine hours a week on this class outside of lecture.

In a typical week, you will attend (or view) two lectures, complete the assigned reading, and make progress on a project or homework assignment (usually due every two to three weeks).

Schedule

Please see the course web site for a class-by-class schedule.

Grading criteria

The relative value of the various course components is approximately as follows:

15% Readings
50% Assignments
20% Midterms
15% Final exam

The numerical cutoff for final course letter grade assignment will be made after all grading is completed. As a rough guide, expect to require at least a 93 to get an A, a 90 to get an A-, an 87 to get a B+, an 83 to get a B, an 80 to get a B-, and so on.

There are no unannounced opportunities for extra credit in this course; do not ask.

Late work is not generally accepted. If you need an individual extension due to calamity (illness, trauma, death in the family, etc.), I will require documentation of the calamity.

I will retain all graded materials for this course until the end of next semester. If you wish to review them, please come to see me during office hours (or make an appointment).

You are responsible for monitoring your grades. Grades will be available through Moodle and you should check them regularly and review any provided feedback. If you encounter any issues with your grades, you will have one week past the first posting of a particular assignment’s grade to Moodle to contact the course staff so that we can investigate. Please contact us via email. We will not generally accept questions about an individual assignment’s grade beyond this one week, so you must be prompt.

Readings

There will be assigned reading for most class meetings. I expect you to read them by the end of the day before the relevant class, and to engage with the readings – making note of questions, answering others’ questions when possible, and the like. To this end, we are going to use for most reading assignments. You must log into Perusall by clicking the link on the course Moodle page in order! Otherwise grades will not be imported into Moodle, and you will receive a zero on the reading.

Assignments

The majority of the workload in this course will consist of take-home problem sets. These assignments will involve writing, programming, or both.

You will be allowed to work together on assignments, so long as you clearly indicate you collaborated (and with who). The goal here is to aid in your learning, not to have you swap off problem sets. If it becomes clear the latter is happening I will forbid collaboration.

We plan to give about six assignments, about one every two weeks.

Each assignment will contribute a stated number of points toward the “Assignments” portion of your course grade. Each assignment may be worth a different amount of points.

Midterms and exams

There will be two equally-weighted midterms. The midterms will be take-home (so that they are fair between on-campus and remote students).

Midterm one will be February 20th; Midterm two will be March 31st.

There will also be a cumulative final exam. You must achieve a passing grade on the final exam to pass the class.

The final exam will be as scheduled by the registrar, currently May 6th.

You may not bring supplemental material to the midterms or final exam, that is, they are closed-book, and the use of notes, calculators, computers, phones, etc., is forbidden, unless otherwise explicitly stated. This rule is enforced by the honor system.

Exams must be completed on your own: they are not collaborative!

Attendance

I expect you to attend lectures, or, if you are watching lectures online, to view them promptly (generally, within 48 hours of the lecture being posted).

(For each of the below, read “absent” to mean “absent *and unable to view the recorded lectures.“)

  • If you will be absent (either from class, or from an exam) due to religious reasons, you must provide me with a written list of such dates within one week of your enrollment in the course.
  • If you will be absent for a University-related event, such as an athletic event, field trip, or performance, you must notify me as soon as possible.
  • If you are absent for health reasons, I expect you to notify me as soon as possible and provide written documentation.
  • If you are absent for other extenuating non-academic reasons, such as a military obligation, family illness, jury duty, automobile collision, etc., I expect you to notify me as soon as possible and to provide written documentation if you need extensions or excusals.

If you must miss a reading, assignment, or exam for a documented, excusable reason, I will excuse you, or work with you to find an acceptable time for you to take a makeup as appropriate. If you miss an exam without prior notice, I will require an explanation and clear written documentation in order to judge whether the absence is excusable.

Incompletes

Incompletes will be granted only in exceptional cases, and only if you have completed at least half the course with a passing grade. Prior to that, withdrawal is the recommended course of action.

Technology in the classroom

At the start of the semester, I will permit laptops and the like in the classroom. If it becomes clear that they are being used for purposes not directly related to the class, I will ban them. It is unfair to distract other students with Facebook feeds, animated ads, and the like.

Regardless, I recommend taking notes by hand. Research suggests that students who take written notes in class significantly outperform students who use electronic devices to take notes.

Academic honesty

General academic honesty statement

Since the integrity of the academic enterprise of any institution of higher education requires honesty in scholarship and research, academic honesty is required of all students at the University of Massachusetts Amherst. Academic dishonesty is prohibited in all programs of the University. Academic dishonesty includes but is not limited to: cheating, fabrication, plagiarism, and facilitating dishonesty. Appropriate sanctions may be imposed on any student who has committed an act of academic dishonesty. Instructors should take reasonable steps to address academic misconduct. Any person who has reason to believe that a student has committed academic dishonesty should bring such information to the attention of the appropriate course instructor as soon as possible. Instances of academic dishonesty not related to a specific course should be brought to the attention of the appropriate department Head or Chair. Since students are expected to be familiar with this policy and the commonly accepted standards of academic integrity, ignorance of such standards is not normally sufficient evidence of lack of intent.

Please read the UMass Academic Honesty Policy.

Course-specific academic honesty information

Investigating academic dishonesty is an unpleasant experience for both the instructor and the student. Please help me by avoiding any questionable behavior.

Academic dishonesty is usually the result of other problems in school. Please come see the course staff if you are unable to keep up with the work for any reason and we will do our best to work something out. I want to see you succeed, but I will not tolerate academic dishonesty.

What is permitted and what is not? You may discuss material with others, and (when permitted) collaborate, so long as you explicitly list all of your collaborators. When collaboration is forbidden, your writing (code and prose) must be your own.

Do not provide your solutions to others, either directly or via some sort of public posting, except when collaboration is explicitly permitted and when both you and the other person are currently enrolled in this course. Publicly or privately redistributing solutions to exercises, homeworks, or assignments for this course is a violation of the University Honesty Policy’s prohibition against facilitating academic dishonesty.

Uncited copying and pasting of code or text from another student or a third party is a violation of academic honesty, and we will endeavor to detect this by any means available to us, including automated similarity analysis of submitted assignments. Be aware that if something looks like academic dishonesty to us, we will treat it as such, unless you can provide strong evidence to the contrary. When in doubt, it is your responsibility to contact the course staff about whether a potential action would be considered academic dishonesty.

Other academic regulations

For undergraduates

The Office of the Registrar publishes Academic Regulations yearly. You should be familiar with them. Particularly relevant are the policies on attendance, absences due to religious observance, and examinations.

For graduate students

The Graduate School publishes the Graduate Student Handbook, which contains the policies that govern graduate student enrollment at the University. You should be familiar with them.

Accommodation statement

The University of Massachusetts Amherst is committed to providing an equal educational opportunity for all students. If you have a documented physical, psychological, or learning disability on file with Disability Services (DS), you may be eligible for reasonable academic accommodations to help you succeed in this course. If you have a documented disability that requires an accommodation, please notify me within the first two weeks of the semester so that we may make appropriate arrangements.

A word about copyrights

Most of the material (lecture notes, lectures, assignments, and so on) in this course is original work created by the instructor (Marc Liberatore); exceptions are clearly noted (for example, I am not Brian Carrier and did not write the textbook!). While you are welcome to use the material for your own personal and educational use, you may not redistribute these materials to others outside the class. In particular, selling or otherwise redistributing your notes (or mine!), making or selling audio, video, or still recordings of course material, is not allowed without express written permission from me.

I make this stuff available on the web for you to use easily and without the hassle of sign-ups, logins, and the like, not for you to abuse for a buck. As Carol Barr (Senior Vice Provost and Dean of Undergraduate Education) and Enku Gelaye (Vice Chancellor for Student Affairs and Campus Life) noted at the start of the Fall 2017 semester, usage of notes or in-class recordings without the faculty member’s permission is a violation of the faculty member’s copyright protection.

Menu