Overview

Host Forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological and not on the legal components of the topic. The emphasis is on the host aspect. The technical aspect addresses the analysis of different attack types and the intrusion process, how to identify an attack and the evidence left behind, and technologies that can be used to assist in the analysis of obtained data or in obtaining more data. We will look into methodologies for recovering data from persistent storage and memory. Investigate the use of virtual machines in providing auditing capabilities to analysts and in setting traps for attackers. We will also learn about reverse engineering binaries, and advanced techniques that aim to expose the way they work and their purpose.

Prerequisites

The course requires good programming skills (C, C++), including some knowledge of x86 assembly. Also, a basic background in operating systems (mainly UNIX), networking, and security.

Course prereqs:

  • CS 506 Introduction to IT Security
  • CS 392 Systems Programming or CS 631 Advanced Programming in the UNIX Environment

Course material

The course does not require a textbook, however the following material could be useful:

  • Keith J. Jones, Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, Brian Carrier, Computer Forensics Library Boxed Set (contains Forensic Discovery, Real Digital Forensics, and File System Forensic Analysis), Addison-Wesley Professional
  • Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press
  • Warren G. Kruse II, Jay G. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley Professional (This could be of particular interest to students interested in forensics and law enforcement)

Several of the topics covered during the course will be supported by research papers and articles available online. Please see the week-by-week schedule for more information.

Grading

Class participation10%
Homework30%
Project40%
In-class presentations20%

Note that exceptional work will be rewarded with bonus points.

Project

The goal of the project is to demonstrate that you have understood the material and that you can utilize your skills to solve problems in the host forensics domain. The projects will be evaluated primarily based on how well you think about problems, understand the issues involved, and are able to formulate and execute a research plan to address the problem. You can choose to explore new (i.e., publishable) ideas, which can earn you bonus points and even a publication, but you can also do well by analyzing, evaluating, and understanding the limits and key concepts of existing research.

The first step for the project will be preparing a proposal. This will help you commit to a particular project, and think in-depth about the steps that must be accomplished by the end of the course and scheduling the necessary tasks. At the end of the course you should present the results of your project by writing a paper, presenting experimental results, demonstrating developed tools etc. The final deliverable should be in the form of a research paper like the ones covered in the lectures.

Read the following guides for help on writing papers:

In-class presentations

Each student will also be called to give a 45-minute presentation of a research paper of his choice (please check with me first) in one of lectures. Available slots are listed in the week-by-week schedule. While one of the papers in the readings list will do, students are encouraged to look for related papers in one of the recent top systems or security conferences. Such conferences are: SOSP, OSDI, Security & Privacy, CCS, USENIX Security, USENIX ATC, NDSS, ESORICS, RAID, and ACSAC. Also consider conferences focusing on digital forensics, like IFIP WG 11.9 International Conference on Digital Forensics and DFRWS.

Homework

Assignments will be given in the classroom weekly or bi-weekly depending on covered material.

Week-by-week schedule

The schedule is tentative and may change in the future. Last update 4/23/2013

Date Subject Readings Assignments

1/15/13

Introduction and course logistics

Lecture slides

Forensic Discovery, Chapter 1, Sections 4.1-4.6, Chapter 7, Sections 8.1-8.5
Computer Forensics: Incident Response Essentials, Chapter 1

 

1/22/13

Identifying important/relevant information

The importance of time

Filesystem basics

Lecture slides

Forensic Discovery, Chapter 2, Sections 2.1-2.5, 2.7-2.10, Chapter 3, Chapter 4, Sections 4.1-4.9

The Sleuth Kit

Assignment01

1/29/13

Recovering deleted files

File carving

Examining memory

Memory persistent information

Lecture slides

Forensic Discovery, Chapter 4, Section 4.10

Real digital forensics, Chapter 9

Anandabrata Pal and Nasir Memon
The Evolution of File Carving
Signal Processing Magazine, March 2009

Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum
Understanding Data Lifetime via Whole System Simulation
USENIX Security 2004

Assignment02

2/5/13

Auditing using virtual machines

Student presentation slot

Lecture slides

Samuel T. King, George W. Dunlap, and Peter M. Chen
Debugging operating systems with time-traveling virtual machines
USENIX ATC 2005

Jim Chow, Tal Garfinkel, and Peter M. Chen
Decoupling dynamic program analysis from execution in virtual environments
USENIX Security 2008

Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis and Herbert Bos
Paranoid Android: versatile protection for smartphones
ACSAC 2010

 

2/12/13

Honeypots and decoys

Student presentation slot

Lecture slides

Bill Cheswick
An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied
USENIX 1990

Niels Provos
A Virtual Honeypot Framework
USENIX Security 2004

Georgios Portokalidis, Asia Slowinska and Herbert Bos
Argos: an Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation
EuroSys 2006

Lance Spitzner
Honeypots: Catching the Insider Threat
ACSAC 2003

Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo
BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection
RAID 2010

Assignment03

2/19/13

Monday class schedule
No class

   

2/26/13

Reverse engineering binaries

Debuggers and disassemblers

Lecture slides

Christopher Kruegel, William Robertson, Fredrik Valeur and Giovanni Vigna
Static Disassembly of Obfuscated Binaries
USENIX Security 2004

IDA Pro Book

Assignment04

3/5/13

Project proposal presentations

   

3/12/13

Spring recess
No class

   

3/19/13

Discovering data structures

Student presentation

Lecture slides

Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King
Digging For Data Structures
OSDI 2008

Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu
Automatic Reverse Engineering of Data Structures from Binary Execution
NDSS 2010

Asia Slowinska, Traian Stancescu, and Herbert Bos
Howard: a dynamic excavator for reverse engineering data structures
NDSS 2011

 

3/26/2013

Malware analysis

Student presentation

Lecture slides

Fanglu Guo, Peter Ferrie and Tzi-cker Chiueh
A Study of the Packer Problem and Its Solutions
RAID 2008

Dinaburg, Artem and Royal, Paul and Sharif, Monirul and Lee, Wenke
Ether: malware analysis via hardware virtualization extensions
CCS 2008

Paolo Milani Comparetti, Guido Salvaneschi, Engin Kirda, Clemens Kolbitsch, Christopher Kruegel, Stefano Zanero
Identifying Dormant Functionality in Malware Programs
S&P 2010

Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, and Thorsten Holz
Down to the Bare Metal: Using Processor Features for Binary Analysis
ACSAC 2012

Assignment05

4/2/13

Hiding malware, rootkits

Student presentation

Lecture slides

Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch
SubVirt: Implementing malware with virtual machines
S&P 2006

Wang, Zhi and Jiang, Xuxian and Cui, Weidong and Ning, Peng
Countering kernel rootkits with lightweight hook protection
CCS 2009

Ralf Hund , Thorsten Holz , Felix C. Freiling
Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms
USENIX Security 2009

Arvind Seshadri, Ning Qu, and Adrian Perrig
SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes
SOSP 2007

hiding processes ( understanding the linux scheduler ) by ubra
==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x12 of 0x14

Raising The Bar For Windows Rootkit Detection by Sherri Sparks and Jamie Butler
==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14

 

4/9/13

Relating to the network

Protocol reverse engineering

Lecture slides

Real Digital Forensics: Chapters 2-5

Martin Roesch
Snort - Lightweight Intrusion Detection for Networks
LISA '99

W. Cui, J. Kannan, and H. J. Wang
Discoverer: Automatic Protocol Reverse Engineering from Network Traces
Usenix Security 2007

Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song
Polyglot: Automatic extraction of protocol format using dynamic binary analysis
CCS 2007

Z. Lin, X. Jiang, D. Xu, and X. Zhang
Automatic protocol format reverse engineering through context-aware monitored execution
NDSS 2008

Asia Slowinska and Herbert Bos
The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack
ACSAC 2007

 

4/16/13

Hiding information, encryption, and bypasses

Student presentation

Lecture slides

Christian S.J. Peron and Michael Legary
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Labs

Omar Choudary, Felix Grobert, and Joachim Metz
Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption
IFIP WG 11.9 International Conference on Digital Forensics

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten
Lest we remember: cold-boot attacks on encryption keys
USENIX Security 2008

Tilo Muller, Michael Spreitzenbarth, and Felix C. Freiling
Frost Forensic Recovery of Scrambled Telephones
ACNS 2013

Assignment06

4/23/13

Real malware

Lecture slides

Mark W. Eichin and Jon A. Rochlis
With microscope and tweezers: the worm from MIT's perspective
Communications of the ACM

Symantec
W32.Stuxnet.Dossier White paper

 

4/30/13

Final project presentations