coe589-122

COE589: Digital Forensics - Spring 2013 (122)

Lecture: Sunday/Tuesday | 18:30-19:45 | 24/114
Instructor: Ahmad Almulhem
Office: 22/407-2
Email: ahmadsm at kfupm
Office Hours:Saturday/Sunday/Monday/Tuesday 11:00 - 12:00 and by appointment (email me)

Course Description

COE589 is a research-oriented graduate course in digital forensics. It aims to provide an extensive background suitable for those interested in conducting research in this area, as well as for those interested to learn about digital forensics in general. The course focuses on the technical issues and open problems in the area. Topics include fundamentals of digital forensics; digital forensics models, multimedia forensics; OS artifacts forensics; file carving; live and memory forensics; network forensics; mobile devices forensics; current tools and their limitations; legal and ethical issues.

A note on ethics: Techniques and tools discussed in class are strictly for educational purpose. DO NOT try them on a system/data that you don't own or for which you don't have permission. Otherwise, you might get yourself in serious legal consequences.

Prerequisites

Graduate standing. A student is expected to have basic knowledge in operating systems, computer architecture and programming.

Course Outcomes

Ability to apply knowledge of mathematics, science, and engineering to conduct research in the area of digital forensic.
Ability to use basic techniques, skills, and tools for digital forensics.
An understanding of professional and ethical responsibility in digital forensics.

Textbook

There is no required textbook. All readings are from selected research papers and reports.

References

C. Altheide et al, "Digital Forensics with Open Source Tools", Syngress, 2011.
B. Carrier, "File system forensic analysis", Addison-Wesley 2005
E. Casey, "Handbook of Digital Forensics and Investigation", Academic Press, 2009.
B. Nelson et al, "Guide to Computer Forensics and Investigations", Course Technology, 2009.

Evaluation

30% - Homework (reading summaries, case studies)
15% - Paper Presentations
10% - Class Discussion
45% - Project
Bonus points are rewarded for exceptional work

Homework (30%)

Homework assignments consist of writing a reflection upon each paper you read. Specific instructions and submission will be through webCT. All Homework assignments are to be done individually. Submission deadline is Sunday 12:00PM for papers discussed in Sunday class, and Tuesday 12:00PM for papers discussed in Tuesday class. Deadlines are strict and no late submission will be accepted.

Paper Presentations (15%)

During the course, you will present two or three papers depending on the class size. When it is your turn to present a paper, your homework submission will be a presentation slides instead of the usual reflection homework assignment. The presentation must be prepared as a 50-60 minutes lecture allowing for about 15 minutes for questioning and discussion. The presenter has to provide any necessary background materials which may require some research on his part. Evaluation is based on the presentation quality and on adhering to the following guidelines:

use white plain background and black large font
provide outline and add slides numbers
minimize text as much as possible and use figures/graphs
save presentation in the 97-2003 PowerPoint format (ppt) or in PDF format

Class Discussion (10%)

The rules regarding class discussion are as follows:

ONLY technical questions are allowed
Every student must prepare at least two technical questions prior to class time
0.5 point is deducted for not preparing questions
1.0 point is deducted for missing a class (absence)

Project (45%)

A research-oriented project is the most significant component in this class. It may cover any topic of interest in digital forensics. You are encouraged to start thinking of a topic early, and to be creative and ambitious! A project should to be done in teams of two at most. Individual projects are also accepted upon instructor's consent.

The project will progress as follows:

Proposal: Write a concise project proposal (1 or 2 pages) that clearly states: the addressed problem, challenges for new research, your plan (including milestones and dates), any relevant papers of which you are already aware. The proposal is due TBA.
Related Work: Prepare a thorough related work write-up (2 or 3 pages) similar to related work sections in the papers you have been reading. You have to reference at least 8 papers from reputable journals and conferences. For each paper, briefly discuss the main contributions, its relevance to your project, and (if appropriate) in what ways it differs from your effort. The related work is due TBA.
Status Update: Prepare a first draft of your work. At this time, you have to extend your write-up considerably beyond the previous submission (related work) by including design, implementation, initial results ... etc. Your submission should be formatted as a full paper similar to the good papers covered in class. Include all completed parts, and use place holders for parts to be completed. Briefly, describe what remains, and any open issues. The status update is due TBA.
Demo and Final paper: Demo of your work will be held in the last week (week 15). The final paper is due TBA.

Weekly Schedule

WK	Date	Topic	Reading	Notes	Presenter
1	1/27	Overview and Logistics		slides	Ahmad Almulhem
1	1/29	Digital Forensics		slides	Ahmad Almulhem
2	2/3	Research in Digital Forensics	K. Nance et al, "Digital Forensics: Defining a research agenda", HICSS'09 S. Garfinkel, "Digital forensics research: The next 10 years", Digital Investigation 2010	slides	Ahmad Almulhem
2	2/5	Reading Papers	P. Fong, "Reading a computer science research paper", ACM SIGCSE Bulletin 2009 S. Keshav, "How to Read a Paper", ACM SIGCOMM Computer Communication Review, 2007 "Writing Technical Articles", H. Schulzrinne	slides	Ahmad Almulhem
3	2/10	Investiation Framework	Ieong, Ricci SC. "FORZA - Digital forensics investigation framework that incorporate legal issues." digital investigation 3 (2006): 29-36.	slides	Abdiwahid Ahmed
3	2/12	Windows Forensics	Carvey, Harlan. "The Windows Registry as a forensic resource." Digital Investigation 2.3 (2005): 201-205.	slides	Azzat Ahmed
4	2/17	Time and Forensics	Chow, K. P., et al. "The Rules of Time on NTFS File System." Systematic Approaches to Digital Forensic Engineering, 2007. SADFE 2007. Second International Workshop on. IEEE, 2007. Case Study: Boyd, Chris, and Pete Forster. "Time and date issues in forensic computing - a case study." Digital Investigation 1.1 (2004): 18-23.	slides	Muhammad Naseer
4	2/19	Timeline	Hargreaves, Christopher, and Jonathan Patterson. "An automated timeline reconstruction approach for digital forensic investigations." Digital Investigation 9 (2012): S69-S79.	slides	Manaf Bin Yahya
5	2/24	File Carving	Richard III, Golden G., and Vassil Roussev. "Scalpel: A frugal, high performance file carver." Proceedings of the 2005 digital forensics research workshop (DFRWS 2005). 2005.	slides	Muhammad Naseer
5	2/26	File Carving	Veenman, Cor J. "Statistical disk cluster classification for file carving." Information Assurance and Security, 2007. IAS 2007. Third International Symposium on. IEEE, 2007.	slides	Iyad Shaheen
6	3/3	Live Forensics	Carrier, Brian D., and Joe Grand. "A hardware-based memory acquisition procedure for digital investigations." Digital Investigation 1.1 (2004): 50-60.	slides	MD Haque
6	3/5	Live Forensics	Hay, Brian, and Kara Nance. "Forensics examination of volatile system data using virtual introspection." ACM SIGOPS Operating Systems Review 42.3 (2008): 74-82.	slides	MD Haque
7	3/10	Mobile Forensics	Lessard, Jeff, and Gary Kessler. "Android Forensics: Simplifying Cell Phone Examinations." (2010).Small Scale Digital Device Forensics Journal Vol. 4, No.1, September 2010	slides	Manaf Bin Yahya
7	3/12		Free Talk
8	3/17	Project	Proposal Discussion
8	3/19	Project	Proposal due
Midterm Vacation
9	3/31	Project	Related-Work Discussion
9	4/2	Project	Related-Work Due
10	4/7	Cloud Forensics	Chung, Hyunji, et al. "Digital forensic investigation of cloud storage services." Digital Investigation (2012).	slides	Abdiwahid Ahmed
10	4/9	Mobile Forensics	Simao, et al. "Acquisition and Analysis of Digital Evidence in Android Smartphones." FORENSIC COMPUTER SCIENCE IJoFCS: 28.	slides	Abubakar Bala
11	4/14	Email Investigations	Persaud, Anthony, and Yong Guan. "A Framework for Email Investigations." Advances in Digital Forensics (2005): 79-90.	slides	Abubakar Bala
11	4/16	IM Forensics	Orebaugh, Angela, and Jeremy Allnutt. "Classification of instant messaging communications for forensics analysis." The International Journal of Forensics Computer Science (2009): 22-28.	slides	Azzat Ahmed
12	4/21	Anti-Forensics	Casey, Eoghan, and Gerasimos J. Stellatos. "The impact of full disk encryption on digital forensics." ACM SIGOPS Operating Systems Review 42.3 (2008): 93-98.		Iyad Shaheen
12	4/23		Free Talk
13	4/28	Project	Status Update discussion
13	4/30	Project	Status Update Due
14	5/5		Free Talk
14	5/7		Free Talk
15	5/12	Project	Demo
15	5/14	Project	Demo/ Final Paper due

Policies

Attendance is required according to KFUPM policies. A DN grade is reported after 6 absences (20%).
Late submissions are not accepted.
No tolerance for cheating and plagiarism. KFUPM regulations will be enforced in such cases.