coe589-121

COE589: Digital Forensics - Fall 2012 (121)

Lecture: Sunday/Tuesday | 18:30-19:45 | 24/149
Instructor: Ahmad Almulhem
Office: 22/407-2
Email: ahmadsm at kfupm
Office Hours:Sunday/Tuesday 11:15 - 12:50 and by appointment (email me)

Course Description

COE589 is a research-oriented graduate course in digital forensics. It aims to provide an extensive background suitable for those interested in conducting research in this area, as well as for those interested to learn about digital forensics in general. The course focuses on the technical issues and open problems in the area. Topics include fundamentals of digital forensics; digital forensics models, multimedia forensics; OS artifacts forensics; file carving; live and memory forensics; network forensics; mobile devices forensics; current tools and their limitations; legal and ethical issues.

A note on ethics: Techniques and tools discussed in class are strictly for educational purpose. DO NOT try them on a system/data that you don't own or for which you don't have permission. Otherwise, you might get yourself in serious legal consequences.

Prerequisites

Graduate standing. A student is expected to have basic knowledge in operating systems, computer architecture and programming.

Course Outcomes

Ability to apply knowledge of mathematics, science, and engineering to conduct research in the area of digital forensic.
Ability to use basic techniques, skills, and tools for digital forensics.
An understanding of professional and ethical responsibility in digital forensics.

Textbook

There is no required textbook. All readings are from selected research papers and reports.

References

C. Altheide et al, "Digital Forensics with Open Source Tools", Syngress, 2011.
B. Carrier, "File system forensic analysis", Addison-Wesley 2005
E. Casey, "Handbook of Digital Forensics and Investigation", Academic Press, 2009.
B. Nelson et al, "Guide to Computer Forensics and Investigations", Course Technology, 2009.

Evaluation

30% - Homework (reading summaries, case studies)
15% - Paper Presentations
45% - Project
10% - Class Discussion
Bonus points are rewarded for exceptional work

Homework

Homework assignments consist of writing a reflection upon each paper you read. Specific instructions and submission will be through webCT. All Homework assignments are to be done individually. Submission deadline is Saturday 11:59PM for papers discussed in Sunday class, and Monday 11:59PM for papers discussed in Tuesday class. Deadlines are strict and no late submission will be accepted. For overall homework grade, I will drop your 2 lowest-scoring homework assignments.

Paper Presentations

During the course, you will present two or three papers depending on the class size. When it is your turn to present a paper, your homework submission will be a presentation slides instead of the usual reflection homework assignment. The presentation has to be prepared as a full lecture allowing 15-20 minutes for questioning and discussion.

Project

A research-oriented project is the most significant component in this class. It may cover any topic of interest in digital forensics. You are encouraged to start thinking of a topic early, and to be creative and ambitious! A project should to be done in teams of two at most. Individual projects are also accepted upon instructor's consent.

The project will progress as follows:

Proposal: Write a concise project proposal (1 or 2 pages) that clearly states: the addressed problem, challenges for new research, your plan (including milestones and dates), any relevant papers of which you are already aware. The proposal is due Tuesday Oct 16 in class. Submit a hard-copy of the proposal and give a 15 min presentation.
Related Work: Prepare a thorough related work write-up (2 or 3 pages) similar to related work sections in the papers you have been reading. You have to reference at least 8 papers from reputable journals and conferences. For each paper, briefly discuss the main contributions, its relevance to your project, and (if appropriate) in what ways it differs from your effort. The related work is due Tuesday Nov 11 in class. Submit a hard-copy of the related work and give a 15 min presentation.
Status Update: Prepare a first draft of your work. At this time, you have to extend your write-up considerably beyond the previous submission (related work) by including design, implementation, initial results ... etc. Your submission should be formatted as a full paper similar to the good papers covered in class. Include all completed parts, and use place holders for parts to be completed. Briefly, describe what remains, and any open issues. The status update is due Tuesday Dec 11 in class. Submit a hard-copy of the first draft and give a 15 min presentation.
Final Presentation and paper: The final presentations will be held in the last week (week 15). The final paper is due Tuesday Dec 23. Submit a hard-copy in class and submit the same in the webCT.

Weekly Schedule

WK	Date	Topic	Reading	Notes	Presenter
1	9/2	Overview and Logistics		slides	Ahmad Almulhem
1	9/4	Digital Forensics		slides	Ahmad Almulhem
2	9/9	Research in Digital Forensics	"Digital Forensics: Defining a research agenda", K. Nance et al, HICSS'09 "Digital forensics research: The next 10 years", S. Garfinkel, Digital Investigation 2010	slides1, slides2	Ahmad Almulhem
2	9/11	Reading Papers	"Reading a computer science research paper", P. Fong, ACM SIGCSE Bulletin 2009 "How to Read a Paper", S. Keshav, ACM SIGCOMM Computer Communication Review, 2007 "Writing Technical Articles", H. Schulzrinne	slides	Ahmad Almulhem
3	9/16	Multimedia Forensics	"Forensics Investigations of Multimedia Data: A Review of the State-of-the-Art", R. Poisel, IMF 2011	slides1, slides2	Muhammad Qureshi
3	9/18	Image Forgery	"A robust detection algorithm for copy-move forgery in digital images", Y. Cao, Forensic science international 2011 Optional Reading: "Image Forgery Detection", H. Farid, IEEE signal processing magazine 2009	slides1, slides2	Issam Laradji
4	9/23	National Holiday (No Class)
4	9/25	Gender Identification	"Author gender identification from text", N. Cheng et al, Digital Investigation 2011	slides	Elhebri Khiari
5	9/30	File Carving	"The evolution of file carving", A. Pal et al, IEEE Signal Processing Magazine 2009	slides	Muhammad Butt
5	10/2	File Carving	"Carving contiguous and fragmented files with fast object validation", S. Garfinkel, DFRWS 2007	slides	Faizuddin Mohammad
6	10/7	File Carving	"Using NLP Techniques for File Fragment Classification", S. Fitzgerald et al, DFRWS 2012	slides1, slides2	Allam Fatayer
6	10/9	File Carving	"Bin-Carver: Automatic Recovery of Binary Executable Files", S. Hand et al, DFRWS 2012	slides1, slides2	Mohammed Siddiqui
7	10/14	Project	Proposal Discussion (bring 3 topics/papers to discuss)
7	10/16	Project	Proposal due (15 min presentation in class + write-up)
Eid Break
8	11/4	Live Forensics	"A survey of main memory acquisition and analysis techniques for the windows operating system", S. Vomel, Digital Investigation 2011 Optional Reading: "Forensic physical memory analysis: an overview of tools and techniques", G. Garcia, Helsinki University 2007	slides	Faizuddin Mohammad
8	11/6	Live Forensic (introspection)	"Forensics examination of volatile system data using virtual introspection", B. Hay, ACM SIGOPS Operating Systems Review 2008	slides	Allam Fatayer
9	11/11	Project	Related-Work Discussion
9	11/13	Project	Related-Work Due (15 min presentation in class + write-up)
10	11/18	Network Forensics	"Forensic Investigation of Peer-to-Peer File Sharing Network", M. Liberatore et al, DFRWS 2010	slides1, slides2	Danish Sattar
10	11/20	Network Forensics (Packet Carving)	"Forensic Carving of Network Packets and Associated Data Structures", R. Beverly et al, DFRWS 2012	slides	Ibrahim BenDaya
11	11/25	Mobile Forensic	"Towards a General Collection Methodology for Android Devices", T. Vidas, DFRWS 2011 Optional Reading: "Forensics and the GSM mobile telephone system", S. Willassen, International Journal of Digital Evidence 2003	slides1, slides2	Muhammad Qureshi
11	11/27	Mobile Forensic	"Social Networking Applications on Mobile Devices", N. Mutawa et al, DFRWS 2012	slides1, slides2	Elhebri Khiari
12	12/2	High Performance Forensics	"Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools", L. Marziale et al, DFRWS 2007	slides1, slides2	Muhammad Butt
12	12/4	Software Forensics	"Software Forensics: Extending Authorship Analysis Techniques to Computer Programs", A. Gray et al, IAFL 1997	slides	Mohammed Siddiqui
13	12/9	Project	Status Update discussion
13	12/11	Project	Status Update Due (15 min presentation in class + 1st draft)
14	12/16	Differential Forensic	"A General Strategy for Differential Forensic Analysis", S. Garfinkel et al, DFRWS 2012	slides1, slides2	Issam Laradji
14	12/18	Large Scale Forensics	"Lessons Learned Writing Computer Forensics Tools and Managing a Large Digital Evidence Corpus", S. Garfinkel, DFRWS 2012	slides	Danish Sattar
15	12/23	Project	Final Presentations
15	12/25	Project	Final Presentations/ Final Paper due
16	12/29	Review

Policies

Attendance is required according to KFUPM policies. A DN grade is reported after 6 absences (20%).
Late submissions are not accepted.
No tolerance for cheating and plagiarism. KFUPM regulations will be enforced in such cases.