Cyber Forensics (Fall 2016)

Meeting Times

Days:   Tuesdays and Thursdays at 11am
Location:   FB331


This course focuses on topics in cyber forensics. The course is structured as a seminar where students jointly discuss selected papers and implement some of the ideas set forth in these papers. Introduction to Computer Security (COMP535) or equivalent is required as a prerequisite before taking this course. It is expected that students have good familiarity with Operating Systems concepts (e.g., memory management, processes, file systems). In addition, familiarity with low-level systems programming (e.g., C and assembly) will be necessary for understanding the details of some of the assigned readings, and will be helpful in completing the in-class exercises (example, on malware analysis).

Course Project

The course project will involve validating ideas covered in one or more papers/topics discussed in class. For the most part, the project will entail extending an existing framework (mostly using Volatility) to assess the feasibility of ideas suggested from a myriad of sources (e.g., textbooks, academic papers, blog posts). Topics include memory acquisition, process memory internals, disk and file system artifacts, network artifacts, event reconstruction, time-line analysis, and malware forensics. The course project involves extending the (short) programming exercises given throughout the course. Several ideas for potential projects will be suggested (based on the list of papers below), but students are encouraged to work on topics that they are passionate about. Think of the course project as designing a lablet (with exercises) that would be suitable for students taking Comp535. Your lablet will be graded by your peers.

Readings and Presentations

Students are required to read the material assigned during the semester and be able to competently discuss the material in class. Students will be required to use a version control system (git) for sharing the solutions to the assigned tasks and explaining how they solved a given task.

Office Hours

Thursday 2pm-3:30 and by appointment.

Mailing List

Registered students will automatically be added to the course mailing list.


This is intended to be an INTERACTIVE class, and as such, class participation will play a significant role in the course grading criteria. (If you've taken COMP535 with me, then you know what I mean!) Students will be graded on the how well they present the solutions to the rest of the class, their participation in discussions, and their course project. Tentative weights for the grading are as follows:

Deliverable Grade
Programming tasks and in-class explanations 25%
Course Project 50%
Class participation 25%

Books and supplemental readings

This tentative list of papers below will supplement topics from the textbook. Several of these papers will serve as the basis for exercises and projects.


Week 1

Course Introduction, objectives, project discussion

Week 2

Digital Forensics Research: The next 10 years

Simson Garfinkel, 2010. readings:

Chapters 1-3 of AMF.

Week 3

Forensic Memory Analysis - Files Mapped in Memory

Wouter Alink and Alex van Ballegooij, 2008.

In class exercise #1, parts 1 and 2

related readings: Forensic Analysis of Video File Formats , Thomas Gloe, Andre Fischer and Matthias Kirchner, 2014.

Chapters 7 of AMF.

Check out this video that introduces some neat extensions done with Volatility.

Week 4

Flesh on the bone: detecting ROP-based malware

Kevin Snow et al. Just-in-time code attacks.

Related: Refresher on stackbased labs from comp535 (on your own).

in class exercise #1, part 3

Week 5 - Away for RAID'16 conference

Extended Memory Analysis: In-class exercise #2, parts 1 and 2.

Week 6

Extracting the Windows Clipboard from Memory

James Okolica and Gilbert Peterson, 2011x.

Readings: Chapters 5 and 14 of AMF.

Week 7

TLSkex: Harnessing Virtual Machine Introspection for Decrypting TLS Communication

Benjamin Taubmann, Christoph Freidrich, Dominik Dusold and Hans Reiser, 2016.

related reading:

  • Saxon, Bordbar, Harrison. Efficient Retrieval of Key Material for Inpsecting Potentially Malicious Traffic in the Cloud, ICCE 2015.

In class exercise #3.

Weeks 8,9

Novel Feature Extraction, Selection and Fusion for Effective Malware Family Classification

Ahmadi et al, 2016.

Note: do not download the Kaggle dataset -- we already have a copy on the class VMs

Related reading:

Week 10

Live Honeynet Analysis and Forensic challenges

Related: The Honeynet Project Challenges.

Chapter 8 of AMF.

Week 11

Life on Clouds, a forensics review

Marco Scarito, Mattia Epifani and Francesco Picasso, 2016.

Related reading: A forensically Robust Method for Acquisition of iCloud data , Kurt Oestreicher, 2014.

Week 12

Security Analysis of Emerging SmartHome Applications

Earlence Fernandes, Jaeyeon Jung, Atul Prakash, 2016.