CIS 4930/5930: Applied Cyber Forensics
Department of Computer Science
Florida State University
Spring 2017
0x00: Course Summary
This course will familiarize
students with the technical aspects of Windows host forensics. Students will
learn how to use open source tools to make images; capture volatile data;
perform file system, network traffic, memory, and disk image analysis; defeat
simple anti-forensics techniques, use open source information to aid their
investigations, and write professional reports on their findings.
0x01: Course
Logistics
Instructors
Instructors: Xiuwen Liu (pronounced as Shu-wen Lea-l), Douglas Hennenfent, and Shawn Stone
Email: liux@cs.fsu.edu, dmh14b@my.fsu.edu (Douglas Hennenfent,), and sas13t@my.fsu.edu (Shawn Stone)
Home page: http://www.cs.fsu.edu/~liux
Office: Xiuwen Liu: 166 Love
Building (LOV); Phone: (850) 644-0050
Douglas Hennenfent and Shawn Stone: 010 Love
Office hours:
Xiuwen Liu: Monday and
Wednesday, 10:10am-11:30am
Douglas Hennenfent:
TBD
Shawn Stone: TBD
Course
website: http://www.cs.fsu.edu/~liux/courses/acf/.
Slides,
assignments, and handouts will be available from http://www.cs.fsu.edu/~liux/courses/acf/calendar.html.
0x02: Course Time and
Location
Tues/Thurs,
1100-1215, Love Building room 151.
0x03: Prerequisites
and Corequisites
Prerequisite: CDA 3100 – Computer Organization I
Corequisite: COP 4530 - Data
Structures, Algorithms, and Generic Programming
Success
in this course will require familiarity with the linux
command line, an ability to work with and manipulate hexadecimal values,
capability to independently research novel concepts,
and strong written communication skills.
0x04: Grading Policy
Grades will be determined as follows:
|
Assignment |
Points |
Assignment |
Points |
|
Class Attendance & Participation |
10 % |
Final Project |
25 % |
|
Homework Assignments |
35 % |
Term Project |
20 % |
|
Grad Project* |
10% |
|
|
*For
undergrads, the 10% grad project will be added to the
homework assignments category.
Grading
will be based on the weighted average as specified
above and the following scale will be used (S is the weighted average on a
100-point scale):
|
Score |
Grade |
Score |
Grade |
Score |
Grade |
|
93 <= S |
A |
80 <= S < 83 |
B- |
67 <= S < 70 |
D+ |
|
90 <= S < 93 |
A- |
77 <= S < 80 |
C+ |
63 <= S < 67 |
D |
|
87 <= S < 90 |
B+ |
73 <= S < 77 |
C |
60 <= S < 63 |
D- |
|
83 <= S < 87 |
B |
70 <= S < 73 |
C- |
S < 60 |
F |
0x05: Late Penalties
Assignments are due at the beginning of the class on the due date. Assignments
turned in late, but before the beginning of the next scheduled class will be penalized by 10 %. Assignments that are more than
one class period late will NOT be accepted.
0x06: Submission and
Return Policy
All tests/assignments/projects/homework will be returned as soon as possible
after grading.
0x07: Assignments and Assignment Submission
Policies:
Homework
assignments (most of them involve solving forensics problems) will be given along with the lectures. These assignments
need to be done individually and turned in along with
a written report. There will be a term project, where a team must complete
forensic analysis on several disk images. There will be an individual forensic
analysis project during the last week of class and finals week.
Forensic
analysts can expect to continually encounter systems,
environments, and artifacts with which they are not familiar. The ability to
address novel situations with research and experimentation is an essential
skill. Given the sheer scope of detailed technical knowledge required it is possible that at some point you may ask a question
that the instructors would have to further research. In such situations
any student willing to research and write a short report answering the question
may earn additional points towards their class participation grade.
If
you are taking the course at the graduate level [5930]
you will be expected to complete a project demonstrating initiative and outside
learning commensurate with your education and experience as a graduate student.
Possible projects include implementing, re-implementing, or extending an open
source forensics tool; researching and demonstrating a forensics topic or
technique not covered in the scope of this course; or developing or extending
an anti-forensics tool. You will present your project during the last week of
class. All projects must have a written proposal approved by the instructors.
If you wish to do a project outside of the above suggestions
you may work with the instructors to develop an acceptable proposal for your
idea. You may work with a partner. If you choose to work with a partner the project should be appropriate in scope and
challenge compared to an individual project.
0x08: Student
Responsibilities
Attendance
is required for this class. Unless you obtain prior consent of the instructors,
missing classes will be used as a basis for attendance
grading. Excused absences include documented illness, deaths in the family and
other documented crises, call to active military duty or jury duty, religious
holy days, and official University activities. These absences will be accommodated in a way that does not arbitrarily
penalize students who have a valid excuse. Consideration will
also be given to students whose dependent children experience serious
illness. In case that it is necessary to skip a class, students are responsible
to make up missed materials. Participation in in-class discussions and
activities is also required.
All submitted assignments and projects must be done by the author(s). It is a violation of the Academic Honor Code to
submit other’s work and the instructor of this course takes the violations very
seriously.
This
course will at times cover certain techniques to exploit and break down known
systems in order to demonstrate their vulnerabilities. It is illegal, however, to practice these
techniques on others' systems without the owner’s explicit consent.
0x09: Textbooks,
Computer Requirements
This
course has no assigned textbook. A useful but not required reference is Digital Forensics with Open Source Tools
by Altheide and Carvey.
Most
assignments in this course will require a computer capable of running a
hypervisor. It may be the case that your personal computer cannot run the
necessary software. A few machines will be available in the Lov
016 lab for use by students in this course to complete their assignments. If
you choose to use the shared machines, please be aware that some assignments
may require lengthy processing time. It is best to start early to ensure that
you have adequate time available on the shared machines.
0x0A: Rationale & Detailed
description for Course
Cybersecurity is a rapidly
growing career field with many opportunities in the public and private sectors.
A forensic analyst is a cybersecurity professional specializing in retrieving
data from computer systems and determining what transpired on that system.
In this course
you will conduct several forensic investigation of Windows systems from media
capture to final reporting. The focus will be on Windows system internals from
Vista onward and the NTFS file system as this is a
very common configuration for analysts to encounter. While the focus of this
course is on the technical side of an analyst’s responsibilities, you will be expected to produce forensics reports on all
homework assignments and projects. These reports must be
written at a level suitable for use in a court of law. As such this course will be significantly more writing
intensive than a typical Computer Science course.
This course focuses on host
forensics. A complete analysis requires an ability to understand a computer’s
network traffic and the operations of any malware found on the system. However this is not a networking course nor a reverse
engineering course. While helpful, neither are necessary to understand the
material for this course. As you continue your cybersecurity
studies both will be covered in significant depth in the excellent “Offensive
Network Security” and “Reverse Engineering and Malware Analysis” courses.
0x0B: Course Objectives
After taking this course, students will be able
to:
●
Create
forensically sound disk images and memory captures
●
Find and
interpret common Windows and NTFS artifacts
●
Carve file
systems and recover deleted information
●
Obtain
familiarity with open source forensics tools
●
Create and
extract information from memory captures and hibernation files
●
Produce
professional reports on the results of their analysis
●
Recover and
analyze e-mail databases
●
Understand basic
anti-forensics techniques
●
Detect and
determine functionality of malware to the extent possible without reverse
engineering
●
Capture and
interpret network traffic
●
Configure a
professional forensics workstation
●
Conduct a
complete forensics examination
0x0C: Course Calendar
●
Week 1: Intro. to Cyber Forensics, Need & Value of Forensics, Setting
up a workstation, SIFT, How do I Linux, CrashDump
course in hex & hex dumps, Reporting, Evidence Seizure, Chain of Custody,
FDLE guest speaker.
●
Week 2: Cont.
Evidence Seizure, Order of Volatility, Chain of Custody, Reporting, FDLE guest
speaker if not possible in week one, secure destruction of evidence when case
is completed.
●
Week 3: Disk
Image Forensics: Disk structure - volumes and partitions, file systems, Slack
space - volume, disk, and file, Copying images, Deleted files & Deleted
file recovery.
●
Week 4: Disk
Image Forensics: FAT32, NTFS, $USNJrnl, Alternate
Data Streams
●
Week 5: Disk
Image Forensics: MBR, UEFI, FDE, continue disk forensics.
●
Week 6: Windows
Log File Analysis: Security & Event Logs, Timelining
& Presenting log analyses.
●
Week 7: Log File
Analysis: Firewall Logs, PCAP, Crash course on the OSI stack, Databases, IIS, Applications.
●
Week 8: Log File
Analysis: Browser log files, OutLook PST / OST,
continued log file analysis. Graduate project proposal due.
●
Week 9: Win Sysinternals: Recycle Bin, Prefetch,
JumpLists, Registry - Structure, Components, How to
Read, LastWrite time, System Time, USB Devices,
Mounted devices, Wired & Wireless network interfaces.
●
Week 10: Spring
break; stay safe
●
Week 11: Win Sysinternals: Registry - Shellbags;
Most Recently Used lists; User Assist; Jump Lists; Run, Run Once, and Run
Service Keys; Internet Explorer keys
●
Week 12: Win
Memory Forensics: Volatile Storage, Memory Structure, Process Structure
●
Week 13: Win
Memory Forensics: Introduction to Volatility, Dumping files from memory,
grabbing passwords from memory, Hibernation Files
●
Week 14: Malware
Research: OSINT research - Malware types, Virus Total, Open source reporting
and documentation, Open source tools, Source Code
●
Week 15:
Anti-forensics: Log overwriting, Timestomping,
Transmogrifying, Steganography, Encryption, Metasploit
Anti-forensics framework, briefly memory anti-forensics.
●
Week 16: Overflow
space, Presentations of grad projects.
●
Week 17: (Final Exam
Week): Complete final project. Due at 5:00pm, May 4, 2018.
0x0D: Academic Honor Code
The
Florida State University Academic Honor Policy outlines the University’s
expectations for the integrity of students’ academic work, the procedures for
resolving alleged violations of those expectations, and the rights and
responsibilities of students and faculty members throughout the process.
Students are responsible for reading the Academic Honor Policy and for living
up to their pledge to “…be honest and truthful and … [to] strive for personal
and institutional integrity at Florida State University.” (Florida State
University Academic Honor Policy, found at http://fda.fsu.edu/Academics/Academic-Honor-Policy).
Assignments/projects/exams
are to be done individually, unless specified
otherwise. It is a violation of the Academic Honor Code to take credit for the
work done by other people. It is also a violation to assist another person in
violating the Code (See the FSU Student Handbook for penalties for violations
of the Honor Code). The judgment for the violation of the
Academic Honor Code will be done by the instructor and a third party member
(another faculty member in the Computer Science Department not involved in this
course). Once the judgment is made, the case is
closed and no arguments from the involved parties will be heard. Examples of
cheating behaviors include:
●
Discuss the
solution for a homework question.
●
Copy programs for
programming assignments.
●
Use and submit
existing programs/reports on the world wide web as
written assignments.
●
Submit
programs/reports/assignments done by a third party, including hired and
contracted.
●
Plagiarize
sentences/paragraphs from others without giving the appropriate references.
Plagiarism is a serious intellectual crime and the consequences can be very
substantial.
Penalty
for violating the Academic Honor Code: A 0 grade for
the particular assignment /exam and a reduction of one letter grade in the
final grade for all parties involved for each occurrence. A report will be sent
to the department chairman for further administrative
actions.
0x0E: Accommodation for Disabilities
Students
with disabilities needing academic accommodation should: (1) register with and
provide documentation to the Student Disability Resource Center; and (2) bring
a letter to the instructor indicating the need for accommodation and what type.
This should be done during the first week of class.
This syllabus and other class materials are available in alternative format
upon request. For more information about services available to FSU students
with disabilities, contact the: Student Disability Resource Center 874
Traditions Way 108 Student Services Building Florida State University
Tallahassee, FL 32306-4167 (850) 644-9566 (voice) (850) 644-8504 (TDD)
sdrc@admin.fsu.edu http://www.disabilitycenter.fsu.edu/.
0x0F: Additional Information
Free Tutoring from FSU: On-campus tutoring and writing assistance is
available for many courses at Florida State University. For more information,
visit the Academic Center for Excellence (ACE) Tutoring Services' comprehensive
list of on-campus tutoring options at http://ace.fsu.edu/tutoring or contact
tutor@fsu.edu. High-quality tutoring is available by appointment and on a
walk-in basis. These services are offered by tutors trained
to encourage the highest level of individual academic success while upholding
personal academic integrity.
0x10: Syllabus Change
Policy: Except for changes that substantially
affect implementation of the evaluation (grading) statement, this syllabus is a
guide for the course and is subject to change with advance notice.