In this course, each voice in the classroom has something of value to contribute. Please take care to respect the different experiences, beliefs and values expressed by students and staff involved in this course. My colleagues and I support UMass’s commitment to diversity, and welcome individuals regardless of age, background, citizenship, disability, sex, education, ethnicity, family status, gender, gender identity, geographical origin, language, military experience, political views, race, religion, sexual orientation, socioeconomic status, and work experience.
View this syllabus as a guide to the course. It provides important information regarding the course, its assignments, policies, grading, and available university resources.
You should read it once, thoroughly, at the start of the semester. However, this document should be considered a working document. It is possible throughout the semester that a topic may take more time than expected, topics or assignments may change, or some material may be canceled or delayed due to a snow day or another emergency. If that is the case, the syllabus and schedule will be updated and a revised version will be posted on the course web site.
Description: This course introduces students to the principal activities and state-of-the-art techniques involved in developing digital forensics systems. Topics covered may include: advanced file carving and reconstruction, forensic analysis of modern filesystems, network forensics, mobile device forensics, memory forensics, and anti-forensics.
Prerequisites: For undergraduates: COMPSCI 365 or 377. Junior and Senior CS majors only. Others will need to request an override. For graduate students: No specific prerequisites, though strong systems knowledge is expected.
Objectives: COMPSCI 590K requires students to critically engage with the theory and practice of modern digital forensics. In particular, students will read, critique, and discuss key papers and other artifacts from the field; engage in analysis and problem-solving based upon the principles and practices developed there; and apply these principles and practices in project-based learning.
COMPSCI 590K: Advanced Digital Forensics Systems
Class delivered through Moodle and associated systems (Echo360, Perusall, Campuswire)
Instructor: Marc Liberatore (please call me “Marc”)
Email: firstname.lastname@example.org (though see note below about Campuswire)
Phone: 413-545-3061 (on campus: 5-3061)
Office: Computer Science, Room 318
Office hours: TBA
Grader: Basundhara Chakrabarty
Note that office hours end the last week of classes! Unless you hear otherwise, we won’t be holding regularly-scheduled office hours after May 4th!
An Internet connection is required.
A reasonably recent computer with the ability to run a full-featured programming environment is required. Your computer must also support a Linux or similar environment, either directly or through a use of a virtual machine such as Box or VMWare. As time permits, course staff may be able to help with minor technical issues, but we are not IT support staff; we cannot generally solve installation or configuration issues, especially remotely.
Required technical material will be provided by the instructor.
There is one optional textbook for this class, Brian Carrier’s File System Forensic Analysis.
Per the University Email Policy, you are expected to check your University email regularly – at least once a day. I will use your UMass email address as your primary point of contact in all online tools we use and as my primary means to contact you individually outside of class. Group announcement will be posted to Campuswire, which can be configured to send you via email whenever an instructor makes a post.
For course-content related questions, especially questions that other students might benefit from seeing the answers to, please use Campuswire. For other questions, like unusual logistics stuff, private messages on Campuswire or email are both OK, but please check the syllabus before emailing the course staff. If you send the course staff email, please include “COMPSCI 590K” in the subject line to make sure we answer them in a timely fashion.
Course staff typically respond to emails and Campuswire questions within one to two business days, but I (Marc) do not typically respond to communications after about 5pm or on weekends. Course staff tend to get a higher volume of messages when a deadline is approaching. If you contact the course staff at least two full business days before a deadline, you are guaranteed a reply before the deadline. Otherwise we’ll do our best, but no guarantees.
We’ll be using Zoom as needed for remote office hours. You have a University-specific Zoom account (accessed through your NetID) you can use for this course. We expect that you’ll use Zoom courteously. In particular this means:
Perusall is a online system to facilitate course readings and discussions. Access it via the link on the course Moodle page. All required course readings will be posted there, and you must complete them there to receive credit.
To quote Perusall’s only-slightly-hyperbolic marketing copy:
Perusall helps you master readings faster, understand the material better, and get more out of your classes. To achieve this goal, you will be collaboratively annotating the readings with others in your class. The help you’ll get and provide your classmates (even if you don’t know anyone personally) will get you past confusions quickly and will make the process more enjoyable. While you read, you’ll receive rapid answers to your questions, help others resolve their questions (which also helps you learn), and advise the instructor how to make class time most productive. You can start a new annotation thread in Perusall by highlighting text, asking a question, or posting a comment; you can also add a reply or comment to an existing thread. Each thread is like a chat with one or more members of your class, and it happens in real time. Your goals in annotating each reading assignment are to stimulate discussion by posting good questions or comments and to help others by answering their questions.
Research shows that by annotating thoughtfully, you’ll learn more and get better grades, so here’s what “annotating thoughtfully” means: Effective annotations deeply engage points in the readings, stimulate discussion, offer informative questions or comments, and help others by addressing their questions or confusions. To help you connect with classmates, you can “mention” a classmate in a comment or question to have them notified by email (they’ll also see a notification immediately if online), and you’ll also be notified when your classmates respond to your questions.
For each assignment we will evaluate the annotations you submit on time (as opposed to after the deadline!). Based on the overall body of your annotations, you will receive a score for each assignment as follows:
3 = demonstrates exceptionally thoughtful and thorough reading of the entire assignment
2 = demonstrates thoughtful and thorough reading of the entire assignment
1 = demonstrates superficial reading of the entire assignment OR thoughtful reading of only part of the assignment
0 = demonstrates superficial reading of only part of the assignment
When we look at your annotations we want them to reflect the effort you put in your study of the text. It is unlikely that that effort will be reflected by just a single thoughtful annotation per reading. On the other extreme, 10 per page is probably too many, unless a number of them are superficial or short comments or questions (which is fine, because it is OK to engage in chat with your peers). Somewhere in between these two extremes is about right and, thoughtful questions or comments that stimulate discussion or thoughtful and helpful answers to other students' questions will earn you a higher score for the assignment. Note, also, that to lay the foundation for understanding the material, you must generally familiarize yourself with each reading in its entirety. Practically, this means that failing to annotate the entire assignment may result in a lower score.
For examples of annotations and quality, see the document that Perusall provides for scoring examples.
Campuswire is a online discussion management system. It will be used as the main hub for questions and answers in this course. Campuswire is a great tool but it can be misused. Please follow these guidelines in your use of Campuswire:
The course staff will monitor Campuswire and answer your questions in a timely manner (generally within a business day). But do not expect us to provide real-time answers on Campuswire, especially in the last few hours before an assignment is due!
If a question has already been answered in a previous post we may not respond to you, instead directing you to the previous answer. If a question does not follow the guidelines above we may not answer it. If we find that a private question is relevant to a larger audience, we may make mark it public to help others in the course.
As a general guideline, the university suggests that students spend three to four hours of time on a class per credit hour. This is a three-credit course, therefore you should plan to spend nine to twelve hours a week on this class.
In a typical week, you will:
There is no formal attendance requirement, because the class doesn’t meet synchronously.
However, I do expect you to complete assigned readings, homeworks, and projects by their due date.
If you miss a deadline for health reasons, I may at my discretion excuse you from the assignment or grant you permission to submit late. Everyone gets sick from time to time and I will not generally require documentation for one or two missed deadlines. More frequent missing of deadlines for health reasons implies a multi-week illness or chronic condition, for which I will require documentation. The exception is exams. Especially without prior notice, being allowed to complete them late will almost certainly require documentation.
Note that if you are in isolation or quarantine due to COVID, the UMass contact tracers will provide you documentation on request.
If you add the class late, I will either grant extensions or excuse you from missed work, but you are responsible for both notifying me when you add in a timely fashion, and for completing the work on your own.
Incompletes will be granted only in exceptional cases, and only if you have completed at least half the course with a passing grade. Prior to that, withdrawal is the recommended course of action.
The course Moodle site contains a week-by-week schedule. Tentatively, it is as follows, with about two weeks per topic (except the first):
Unit 1: Introduction, overview
Unit 2: Parsing binary file formats, carving and reassembly
Unit 3: Hashing, streaming, sampling, and parallelism
Unit 4: Filesystems
Unit 5: Network forensics
Unit 6: Intro to memory forensics and reverse engineering
Unit 7: Machine learning applications in forensics
I urge you not to focus on numeric scores and grades in this course. Most students get good grades in this course. Focus instead on learning. A decade from now the grade you got in this course will be irrelevant, but one key insight or another may end up being invaluable to you.
Nonetheless, in the midst of a busy semester we all end up with moments of triage in which we need to understand where to concentrate our efforts. So to give you a sense of the relative importance of each form of assessment, we expect the breakdown for the final course grade to be as follows:
25% readings and discussion
15% final exam
The numerical cutoff for final course letter grade assignment will be made after all grading is completed. Expect to require at least a 93 to get an A, a 90 to get an A-, an 87 to get a B+, an 83 to get a B, an 80 to get a B-, and so on.
Individual grade items are not curved, so you should not get stressed about means, standard deviations, etc. related to particular scores you receive. What matters is your weighted average; we do not give favorable (or unfair) treatment by raising or lowering individual students' letter grades.
There are no unannounced opportunities for extra credit in this course; please do not ask.
Also: It’s 2022. Storage and bandwidth are virtually free. Back your work up, store it in the cloud, whatever. “My computer crashed” won’t be acceptable as an excuse in this class.
Late work is not generally accepted. If you need an individual extension due to calamity (illness, trauma, death in the family, etc.), I will require documentation of the calamity.
I will retain all graded materials for this course until the end of next semester. If you wish to review them, please come to see me during office hours (or make an appointment).
You are responsible for monitoring your grades. The course gradebook will be available through Moodle. You should check your grades regularly and review any provided feedback. If you encounter any issues with your grades, you will have one week past the first posting of a particular assignment’s grade to contact the course staff by email so that we can investigate. We will not generally accept questions about an individual assignment’s grade beyond this one week, so you must be prompt.
There will be assigned reading most weeks. I expect you to read them by the specified due date, and to engage with the readings – making observations of key points, making note of questions, answering others' questions when possible, and the like. To this end, we are going to use Perusall for most reading assignments. You must log into Perusall by clicking the link on the course Moodle page in order to receive credit. Otherwise grades will not be imported into Moodle, and you will receive a zero on the reading.
The majority of the workload in this course will consist of take-home problem sets and projects. These assignments will involve writing, programming, or both.
You will be allowed to work together on assignments, so long as you clearly indicate you collaborated (and with who). The goal here is to aid in your learning, not to have you swap off problem sets. If it becomes clear the latter is happening I will forbid collaboration.
We plan to give about six assignments, about one every two weeks.
Each assignment will contribute a stated number of points toward the “Assignments” portion of your course grade. Each assignment may be worth a different amount of points.
There will be an online open-notes midterm, scheduled for Friday, March 11th.
There will also be an online open-notes cumulative final exam. You must achieve a passing grade on the final exam to pass the class.
The final exam will be as scheduled by the registrar.
Exams must be completed on your own: they are not collaborative!
Please note (from the Academic Rules and Regulations):
…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.
You are responsible for clearing your schedule at the beginning of the semester to take exams. The exam period is posted on the academic calendar before the beginning of classes. If you cannot commit to taking the final exam during the exam period, you should drop this class immediately. Makeup exams will be offered only in those cases where required by university policy.
Since the integrity of the academic enterprise of any institution of higher education requires honesty in scholarship and research, academic honesty is required of all students at the University of Massachusetts Amherst. Academic dishonesty is prohibited in all programs of the University. Academic dishonesty includes but is not limited to: cheating, fabrication, plagiarism, and facilitating dishonesty. Appropriate sanctions may be imposed on any student who has committed an act of academic dishonesty. Instructors should take reasonable steps to address academic misconduct. Any person who has reason to believe that a student has committed academic dishonesty should bring such information to the attention of the appropriate course instructor as soon as possible. Instances of academic dishonesty not related to a specific course should be brought to the attention of the appropriate department Head or Chair. Since students are expected to be familiar with this policy and the commonly accepted standards of academic integrity, ignorance of such standards is not normally sufficient evidence of lack of intent.
In addition, you should read the UMass Academic Honesty Policy (ignorance of the policy is no excuse).
Investigating academic dishonesty is an unpleasant experience for both the instructor and the student. Please help me by avoiding any questionable behavior.
Academic dishonesty is usually the result of other problems in school. Please come see me or the other course staff if you are unable to keep up with the work for any reason and we will do our best to work something out. The course staff want to see you succeed, but we cannot and will not tolerate academic dishonesty.
Be aware that if something looks like academic dishonesty to us, we will treat it as such, unless you can provide strong evidence to the contrary. When in doubt, it is your responsibility to contact the course staff about whether a potential action would be considered academic dishonesty.
You may discuss material with others, but when collaboration is forbidden (specifically: on the exams), your submission must be entirely your own.
More generally, you may not without permission get direct, interactive help with your work from anyone who is not a current member of of the class, either as a student or as course staff. “Help” includes designing algorithms, writing code, debugging, developing test cases, and so on. If you need to call on others for help, clear it with the instructor first. Generally we will say yes, but the intent of this rule is to make sure you are learning, and not just asking others to solve your assignments for you.
You may not provide your solutions to others, either directly or via some sort of public or private posting, except when collaboration is explicitly permitted (as it is on problem sets and the programming assignments) and when both you and the other person(s) are currently enrolled in this course.
You may not copy code from online sources – except for the current semester website / Moodle site. Copying and pasting code from another student (whom you are not submitting with) or from a third party is a violation of academic honesty, and we will endeavor to detect this by any means available to us, including automated similarity analysis of submitted assignments.
You may not use third-party online forums such as StackOverflow to ask for specific help on assignments, nor third-party course “notes” sites that traffic in solutions to assignments, nor may you search for solutions online.
When you ask for help, either in person or on Campuswire, it’s good practice to ask your question by describing the problem you’re having, or using a small synthetic example that illustrates your difficulty. If you must include a large chunk of your code to ask your question on Campuswire, mark it as a “private” question, and only the course staff will be able to see it.
You may work in small groups (up to three students) on the assignments. If you choose to do so, you may submit a single copy of the assignment and include all group members' names. Please do so clearly so we notice on the grading input!
You are free to work with different partners on each assignment if you choose.
Make sure to acknowledge any past partners whose work might have influenced your own in your assignment.
If you work with partner(s), you must do all the work together. It is against the rules to split up the work, or to have one person do it and another person “check” it, or to have one person write the code and another person write the tests, etc. When you submit as a partnership or group, you are asserting that all the work was done together.
The above rule has implications for academic honesty policy violations. If one of you is violates the policy, all of you are guilty. Consider that carefully. If your partner went off and implemented a lot of code “on their own,” how do you know they wrote it? Once in a while, it turns out somebody actually copied the code or solution from elsewhere. You will be culpable if your partner does this, because by submitting as a partnership (or group) you are claiming the solution to be jointly written by all of you.
Nonetheless, much like exceeding the speed limit on the highway, if you’re going to violate the rules, there are norms. On the highway, that means speeding in the left lane, and sticking to the speed limit in the right lane. In this class, we likewise know some people will violate the rules and split the work anyway. So if you do that, make sure to detail in your writeup who did what work. That is your best defense should a violation of the honesty policy be alleged.
The Office of the Registrar publishes Academic Regulations yearly. The Graduate School publishes a corresponding Graduate Student Handbook. You should be familiar with them. Particularly relevant are the policies on attendance, absences due to religious observance, and examinations.
Per the course-specific academic honesty policy, you are not permitted to make your solutions to the assignments in this class available to others. This includes reposting them to public GitHub repositories (or other service where another student might plausibly see them). If you need or want to use them as part of a portfolio, keep them private and share them individually with relevant people.
Most of the material (lecture notes, lectures, assignments, and so on) in this course is original work created by the instructor (Marc Liberatore); exceptions are clearly noted. These works are protected by U.S. copyright laws and by university policy. I am the exclusive owner of the copyright in materials I create.
You may take notes and make copies of course materials for your own use in this class. You may also share those materials with another student who is registered and enrolled in this course.
You may NOT reproduce, distribute, upload, or display any lecture notes or recordings or course materials in any other way – whether or not a fee is charged – without my express written consent. If you do so, you may be subject to disciplinary action under the UMass Code of Student Conduct.
While you are welcome to use the material for your own personal and educational use, you may not redistribute them to others outside the class. In particular, selling or otherwise redistributing your notes (or mine!), making or selling audio, video, or still recordings of course material, is not allowed without express written permission from me.
I make this stuff available on the web for you to use easily and without the hassle of sign-ups, logins, and the like, not for you to abuse for a buck. As Carol Barr (Senior Vice Provost and Dean of Undergraduate Education) and Enku Gelaye (Vice Chancellor for Student Affairs and Campus Life) noted at the start of the Fall 2018 semester, usage of notes or in-class recordings without the faculty member’s permission is a violation of the faculty member’s copyright protection.
The University of Massachusetts Amherst is committed to providing an equal educational opportunity for all students. If you have a documented physical, psychological, or learning disability on file with Disability Services (DS), you may be eligible for reasonable academic accommodations to help you succeed in this course. If you have a documented disability that requires an accommodation, please notify me within the first two weeks of the semester so that we may make appropriate arrangements.
Some material taken from the Rust Code of Conduct.
Some material taken from the Cornell CS 3110 syllabus and related policies.