Welcome to the CIS 5930:Applied Cyber Forensics

Since this is not a web dev class, do not expect fancy CSS or Javascript. Enjoy.

CIS 5930: Applied Cyber Forensics

Department of Computer Science
Florida State University
Fall 2019

0x00: Course Summary

This course will familiarize students with the technical aspects of Windows host forensics. Students will learn how to use open source tools to make images, capture volatile data, perform file system, network traffic, memory, and disk image analysis, defeat simple anti forensics techniques, use open source information to aid their investigations, and write professional reports on their findings.

0x01 Course Logistics

Instructors: Jordan Mussman, [jlm13v at my dot fsu dot edu] with sponsored professor Dr. Mike Burmester, [burmeste at cs dot fsu dot edu] and Dr. Xiuwen Liu, [xliu at cs dot fsu dot edu].

Jordan’s Office Hours: Thursday’s at 10 AM LOV010 (SAIT Lab)

Course website: fsuforensics.com Slides, assignments, and handouts will be available from fsuforensics.com/calendar.html

0x02 Course Time and Location

Tuesday/Thursday, 1400 – 1515 Room LOV151

0x03 Prerequisites and Corequisites

Prerequisites: CDA 3100 – Computer Organization 1
Corequisites: CDA 3105 – Computer Organization 2

Success in this course will require familiarity with the Linux command line, an ability to work with and manipulate hexadecimal values, capability to independently research novel concepts, and strong written communication skills.

0x04 Grading Policy

Grades will be determined as follows:

Assignment	Points	Assignment	Points
Class Attendance & Participation	10 %	Final Project	25 %
Homework Assignments	30 %	Term Project	20 %
Grad Project	10 %	Quizzes	5 %

*For undergrads, the 10% grad project will be added to the homework assignments category.
*Quizzes will be CTF-Style challenges to familiarize students with the current idea or tool being discussed in class that week.

Grading will be based on the weighted average as specified above and the following scale will be used (S is the weighted average on a 100-point scale):

Score	Grade	Score	Grade	Score	Grade
93 <= S	A	80 <= S < 83	B-	67 <= S < 70	D+
90 <= S < 93	A-	77 <= S < 80	C+	63 <= S < 67	D
87 <= S < 90	B+	73 <= S < 77	C	60 <= S < 63	D-
83 <= S < 87	B	70 <= S < 73	C-	S < 60	F

0x05 Late Penalties

Assignments are due at the beginning of the class on the due date. Assignments turned in late, but before the beginning of the next scheduled class will be penalized by 10%. Assignments that are more than one class period late will NOT be accepted.

0x06: Submission and Return Policy

All tests/assignments/projects/homework will be returned as soon as possible after grading.

0x07: Assignments and Assignment Submission Polices:

Homework assignments (most of them involve solving forensics problems) will be given along with the lectures. These assignments need to be done individually and turned in along with a written report. There will be a term project, where a team must complete forensic analysis on several disk images. There will be an individual forensic analysis project during the last week of class and finals week.

Forensic analysts can expect to continually encounter systems, environments, and artifacts with which they are not familiar. The ability to address novel situations with research and experimentation is an essential skill. Given the sheer scope of detailed technical knowledge required it is possible that at some point you may ask a question that the instructors would have to further research. In such situations any student willing to research and write a short report answering the question may earn additional points towards their class participation grade. If you are taking the course at the graduate level [5930] you will be expected to complete a project demonstrating initiative and outside learning commensurate with your education and experience as a graduate student. Possible projects include implementing, re-implementing, or extending an open source forensics tool; researching and demonstrating a forensics topic or technique not covered in the scope of this course; or developing or extending an anti-forensics tool. You will present your project during the last week of class. All projects must have a written proposal approved by the instructors. If you wish to do a project outside of the above suggestions, you may work with the instructors to develop an acceptable proposal for your idea. You may work with a partner. If you choose to work with a partner the project should be appropriate in scope and challenge compared to an individual project.

If you are taking the course at the graduate level [5930] you will be expected to complete a project demonstrating initiative and outside learning commensurate with your education and experience as a graduate student. Possible projects include implementing, re-implementing, or extending an open source forensics tool; researching and demonstrating a forensics topic or technique not covered in the scope of this course; or developing or extending an anti-forensics tool. You will present your project during the last week of class. All projects must have a written proposal approved by the instructors. If you wish to do a project outside of the above suggestions, you may work with the instructors to develop an acceptable proposal for your idea. You may work with a partner. If you choose to work with a partner the project should be appropriate in scope and challenge compared to an individual project.

0x08: Student Responsibilities

Attendance is required for this class. Unless you obtain prior consent of the instructors, missing Classes will be used as a basis for attendance grading. Excused absences include documented illness, deaths in the family and other documented crises, call to active military duty or jury duty, religious holy days, and official University activities. These absences will be accommodated in a way that does not arbitrarily penalize students who have a valid excuse. Consideration will also be given to students whose dependent children experience serious illness. In case that it is necessary to skip a class, students are responsible to make up missed materials. Participation in in-class discussions and activities is also required. All submitted assignments and projects must be done by the author(s). It is a violation of the Academic Honor Code to submit other’s work and the instructor of this course takes the violations very seriously. This course will at times cover certain techniques to exploit and break down known systems in order to demonstrate their vulnerabilities. It is ILLEGAL, however, to practice these techniques on others’ systems without the owner’s explicitly, written, consent.

0x09: Textbooks, Computer Requirements

This course has no assigned textbook. A useful but not required reference is Digital Forensics with Open Source Tools by Altheide and Carvey and The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory by Ligh, Case, Levy, and Walters.

Most assignments in this course will require a computer capable of running a hypervisor. It may be the case that your personal computer cannot run the necessary software. A few machines will be available in the LOV 016 lab for use by students in this course to complete their assignments. If you choose to use the shared machines, please be aware that some assignments may require lengthy processing time. It is best to start early to ensure that you have adequate time available on the shared machines.

0x0A Rational and Detailed Description for Course

Cybersecurity is a rapidly growing career field with many opportunities in the public and private sectors. A forensic analyst is a cybersecurity professional specializing in retrieving data from computer systems and determining what transpired on that system.

In this course you will conduct several forensic investigations of Windows systems from media capture to final reporting. The focus will be on Windows system internals from Vista onward and the NTFS file system as this is a very common configuration for analysts to encounter. While the focus of this course is on the technical side of an analyst’s responsibilities, you will be expected to produce forensics reports on all homework assignments and projects. These reports must be written at a level suitable for use in a court of law. As such this course will be significantly more writing intensive than a typical Computer Science course.

This course focuses on host forensics. A complete analysis requires an ability to understand a computer’s network traffic and the operations of any malware found on the system. However, this is not a networking course nor a reverse engineering course. While helpful, neither are necessary to understand the material for this course. As you continue your cybersecurity studies both will be covered insignificant depth in the excellent “Offensive Network Security”, “Practical Cyber Operations Fundamentals”, and “Reverse Engineering and Malware Analysis” courses.

0x0B: Course Objectives

After taking this course, students will be able to:

Find and interpret common Windows and NTFS artifacts
Carve file systems and recover deleted information
Obtain familiarity with open source forensics tools
Create and extract information from memory captures and hibernation files
Produce professional reports on the results of their analysis
Recover and analyze e-mail databases
Understand basic anti-forensics techniques
Detect and determine functionality of malware to the extent possible without reverse engineering
Capture and interpret network traffic
Configure a professional forensics workstation
Conduct a complete forensics examination under Chain of Custody regulations

0x0C: Course Calendar (Subject to Change)

Week 1: Intro. to Cyber Forensics, Need and Value of Forensics, setting up a workstation, SIFT,How do I Linux, CrashDump course in hex and hex dumps, Reporting, Evidence Seizure, Chain of Custody, FDLE guest speaker.
Week 2: Cont. Evidence Seizure, Order of Volatility, Chain of Custody, Reporting, FDLE guest speaker if not possible in week one, secure destruction of evidence when case is completed.
Week 3: Disk Image Forensics: Disk structure - volumes and partitions, file systems, Slack space - volume, disk, and file, copying images, Deleted files and Deleted file recovery.
Week 4: Disk Image Forensics: FAT32, NTFS, $USNJrnl, Alternate Data Streams
Week 5: Disk Image Forensics: MBR, UEFI, FDE, continue disk forensics.
Week 6: Windows Log File Analysis: Security and Event Logs, Timelining and Presenting log analyses.
Week 7: Log File Analysis: Firewall Logs, PCAP, Crash course on the OSI stack, Databases, IIS, Applications.
Week 8: Log File Analysis: Browser log files, OutLook PST / OST, continued log file analysis. Graduate project proposal due.
Week 9: Win Sysinternals: Recycle Bin, Prefetch, JumpLists, Registry - Structure, Components, How to Read, LastWrite time, System Time, USB Devices, Mounted devices, Wired and Wireless network interfaces.
Week 10: Win Sysinternals: Registry - Shellbags; Most Recently Used lists; User Assist; Jump Lists; Run, Run Once, and Run Service Keys; Internet Explorer keys
Week 11: Win Memory Forensics: Volatile Storage, Memory Structure, Process Structure
Week 12: Win Memory Forensics: Introduction to Volatility, dumping files from memory, grabbing passwords from memory, Hibernation Files
Week 13: Malware Research: OSINT research - Malware types, Virus Total, Open source reporting and documentation, Open source tools, Source Code
Week 14: Thanksgiving Break
Week 15: Anti-forensics: Log overwriting, time stomping, transmogrifying, steganography, encryption, Metasploit, anti-forensics framework, briefly memory anti-forensics.
Week 16: Overflow space, Presentations of grad projects.
Week 17: (Final Exam Week): Complete final project. Due at 5:00pm, December 12, 2019.

0x0D: Academic Honor Code

The Florida State University Academic Honor Policy outlines the University’s expectations for the integrity of students’ academic work, the procedures for resolving alleged violations of those expectations, and the rights and responsibilities of students and faculty members throughout the process. Students are responsible for reading the Academic Honor Policy and for living up to their pledge to “…be honest and truthful and … [to] strive for personal and institutional integrity at Florida State University.” (Florida State University Academic Honor Policy, found at http://fda.fsu.edu/Academics/Academic-Honor-Policy).

Assignments/projects/exams are to be done individually, unless specified otherwise. It is a violation of the Academic Honor Code to take credit for the work done by other people. It is also a violation to assist another person in violating the Code (See the FSU Student Handbook for penalties for violations of the Honor Code). The judgment for the violation of the Academic Honor Code will be done by the instructor and a third party member (another faculty member in the Computer Science Department not involved in this course). Once the judgment is made, the case is closed and no arguments from the involved parties will be heard. Examples of cheating behaviors include:

Discuss the solution for a homework question.
Copy programs for programming assignments.
Use and submit existing programs/reports on the world wide web as written assignments.
Submit programs/reports/assignments done by a third party, including hired and contracted.
Plagiarize sentences/paragraphs from others without giving the appropriate references.
Plagiarism is a serious intellectual crime and the consequences can be very substantial.

Penalty for violating the Academic Honor Code: A 0 grade for the particular assignment /exam and a reduction of one letter grade in the final grade for all parties involved for each occurrence. A report will be sent to the department chairman for further administrative actions.

0x0E: Accommodation for Disabilities

Students with disabilities needing academic accommodation should: (1) register with and provide documentation to the Student Disability Resource Center; and (2) bring a letter to the instructor indicating the need for accommodation and what type. This should be done during the first week of class. This syllabus and other class materials are available in alternative format upon request. For more information about services available to FSU students with disabilities, contact the: Student Disability Resource Center 874 Traditions Way 108 Student Services Building Florida State University Tallahassee, FL 32306-4167 (850) 644-9566 (voice) (850) 644-8504 (TDD) [email protected] http://www.disabilitycenter.fsu.edu/.

0x0F: Additional Information

Free Tutoring from FSU: On-campus tutoring and writing assistance is available for many courses at Florida State University. For more information, visit the Academic Center for Excellence (ACE) Tutoring Services' comprehensive list of on-campus tutoring options at http://ace.fsu.edu/tutoring or contact [email protected]. High-quality tutoring is available by appointment and on a walk-in basis. These services are offered by tutors trained to encourage the highest level of individual academic success while upholding personal academic integrity.

0x10: Syllabus Change Policy:

Except for changes that substantially affect implementation of the evaluation (grading) statement, this syllabus is a guide for the course and is subject to change with advance notice.