Host Forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological and not on the legal components of the topic. The emphasis is on the host aspect. The technical aspect addresses the analysis of different attack types and the intrusion process, how to identify an attack and the evidence left behind, and technologies that can be used to assist in the analysis of obtained data or in obtaining more data. We will look into methodologies for recovering data from persistent storage and memory. Investigate the use of virtual machines in providing auditing capabilities to analysts and in setting traps for attackers. We will also learn about reverse engineering binaries, and advanced techniques that aim to expose the way they work and their purpose.


The course requires good programming skills (C, C++), including some knowledge of x86 assembly. Also, a basic background in operating systems (mainly UNIX), networking, and security.

Course prereqs:

  • CS 506 Introduction to IT Security
  • CS 392 Systems Programming or CS 631 Advanced Programming in the UNIX Environment

If you feel that you possess the skills to follow this course but have not taken the prerequisite courses, contact me to establish whether I can waive the requirements for the course.

Course material

The course does not require a textbook, however the following material could be useful:

  • Keith J. Jones, Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, Brian Carrier, Computer Forensics Library Boxed Set (contains Forensic Discovery, Real Digital Forensics, and File System Forensic Analysis), Addison-Wesley Professional
  • Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press
  • Warren G. Kruse II, Jay G. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley Professional (This could be of particular interest to students interested in forensics and law enforcement)

Several of the topics covered during the course will be supported by research papers and articles available online. Please see the week-by-week schedule for more information.


Class participation20%
In-class presentations20%

Exceptional work will be rewarded with bonus points.


The goal of the project is to demonstrate that you have understood the material and that you can utilize your skills to solve problems in the host forensics domain.

The first step for the project will be preparing a proposal. It is important to be able to identify a problem, find related work, formulate a plan to solve it, and implement a solution.

At the end of the course you should present the results of your project by writing a paper, presenting experimental results, demonstrating developed tools etc. The final deliverable should be in the form of a research paper like the ones covered in the lectures.

The projects will be evaluated primarily based on correctness. You can choose to explore new (i.e., publishable) ideas, which can earn you bonus points and even a publication, but you can also do well by analyzing, evaluating, and understanding the limits and key concepts of existing research. Along with code deliverables, you should also submit a report describing the problem, discussing related work, and presenting your approach and implementation. Credit will be also given for evaluating the work on appropriate axes.

Read the following guides for help on writing papers that can help you with the report:

In-class presentations

students will be called to give a 30 to 45-minute presentations of research papers provided as reading material in-class. Students are encouraged to also look for related papers in recent top systems or security conferences. Such conferences are: SOSP, OSDI, Security & Privacy, CCS, USENIX Security, USENIX ATC, NDSS, ESORICS, RAID, and ACSAC. Also consider conferences focusing on digital forensics, like IFIP WG 11.9 International Conference on Digital Forensics and DFRWS.

Following the presentations there will be in-class discussion, which will affect the participation grade.


Assignments will be also given in the classroom with no more than 6 assignments given in the duration of the course.

Week-by-week schedule

The schedule is tentative and may change in the future.

Date Subject Readings Assignments


Introduction and course logistics

Forensic Discovery, Chapter 1, Sections 4.1-4.6, Chapter 7, Sections 8.1-8.5
Computer Forensics: Incident Response Essentials, Chapter 1

Slides: Logistics, Introduction.



Identifying important/relevant information

The importance of time

Filesystem basics

Forensic Discovery, Chapter 2, Sections 2.1-2.5, 2.7-2.10, Chapter 3, Chapter 4, Sections 4.1-4.9

The Sleuth Kit

Slides: Forensics Basics.


Recovering deleted files

File carving

Examining memory

Memory persistent information

Forensic Discovery, Chapter 4, Section 4.10
Real digital forensics, Chapter 9

Slides: Recovering Data.

Anandabrata Pal and Nasir Memon
The Evolution of File Carving
Signal Processing Magazine, March 2009

In-class discussion and presentation

Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum
Understanding Data Lifetime via Whole System Simulation
USENIX Security 2004

Martin Karresand and Nahid Shahmehri
Oscar — File Type Identification of Binary Data in Disk Clusters and RAM Pages
IFIP International Federation for Information Processing Volume 201, 2006, pp 413-424

Assignment 1


Auditing using virtual machines

Slides: Auditing Using VMs.

In-class discussion and presentation

Samuel T. King, George W. Dunlap, and Peter M. Chen
Debugging operating systems with time-traveling virtual machines

Jim Chow, Tal Garfinkel, and Peter M. Chen
Decoupling dynamic program analysis from execution in virtual environments
USENIX Security 2008

Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis and Herbert Bos
Paranoid Android: versatile protection for smartphones
ACSAC 2010



Honeypots and decoys

Bill Cheswick
An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied

In-class discussion and presentation

Niels Provos
A Virtual Honeypot Framework
USENIX Security 2004

Georgios Portokalidis, Asia Slowinska and Herbert Bos
Argos: an Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation
EuroSys 2006

Lance Spitzner
Honeypots: Catching the Insider Threat
ACSAC 2003

Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo
BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection
RAID 2010



Monday class schedule
No class



Reverse engineering binaries

Debuggers and disassemblers

Discovering data structures

IDA Pro Book

In-class discussion and presentation

Christopher Kruegel, William Robertson, Fredrik Valeur and Giovanni Vigna
Static Disassembly of Obfuscated Binaries
USENIX Security 2004

Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King
Digging For Data Structures
OSDI 2008

Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu
Automatic Reverse Engineering of Data Structures from Binary Execution
NDSS 2010

Asia Slowinska, Traian Stancescu, and Herbert Bos
Howard: a dynamic excavator for reverse engineering data structures
NDSS 2011



Project proposal presentations



Spring recess
No class



Malware analysis

In-class discussion and presentation

Fanglu Guo, Peter Ferrie and Tzi-cker Chiueh
A Study of the Packer Problem and Its Solutions
RAID 2008

Dinaburg, Artem and Royal, Paul and Sharif, Monirul and Lee, Wenke
Ether: malware analysis via hardware virtualization extensions
CCS 2008

Paolo Milani Comparetti, Guido Salvaneschi, Engin Kirda, Clemens Kolbitsch, Christopher Kruegel, Stefano Zanero
Identifying Dormant Functionality in Malware Programs
S&P 2010

Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, and Thorsten Holz
Down to the Bare Metal: Using Processor Features for Binary Analysis
ACSAC 2012



Hiding malware, rootkits

hiding processes ( understanding the linux scheduler ) by ubra
==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x12 of 0x14

Raising The Bar For Windows Rootkit Detection by Sherri Sparks and Jamie Butler
==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14

In-class discussion and presentation

Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch
SubVirt: Implementing malware with virtual machines
S&P 2006

Wang, Zhi and Jiang, Xuxian and Cui, Weidong and Ning, Peng
Countering kernel rootkits with lightweight hook protection
CCS 2009

Ralf Hund , Thorsten Holz , Felix C. Freiling
Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms
USENIX Security 2009

Arvind Seshadri, Ning Qu, and Adrian Perrig
SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes
SOSP 2007



Mobile device forensics

Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou
Cell Phone Forensic Tools: An Overview and Analysis
NIST, October 2005

Andrew Hoog
Android Forensics: Investigation, Analysis and Mobile Security for Google Android

Shafik G. Punja and Richard P. Mislan
Mobile Device Analysis

Konstantia Barmpatsalou, Dimitrios Damopoulos, Georgios Kambourakis, and Vasilios Katos
A critical review of 7 years of Mobile Device Forensics
Digital Investigation Volume 10, Issue 4, December 2013



Relating to the network

Protocol reverse engineering

Real Digital Forensics: Chapters 2-5

In-class discussion and presentation

Martin Roesch
Snort - Lightweight Intrusion Detection for Networks
LISA '99

W. Cui, J. Kannan, and H. J. Wang
Discoverer: Automatic Protocol Reverse Engineering from Network Traces
Usenix Security 2007

Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song
Polyglot: Automatic extraction of protocol format using dynamic binary analysis
CCS 2007

Z. Lin, X. Jiang, D. Xu, and X. Zhang
Automatic protocol format reverse engineering through context-aware monitored execution
NDSS 2008

Asia Slowinska and Herbert Bos
The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack
ACSAC 2007



Hiding information, encryption, and bypasses

In-class discussion and presentation

Christian S.J. Peron and Michael Legary
Digital Anti-Forensics: Emerging trends in data transformation techniques
Seccuris Labs

Omar Choudary, Felix Grobert, and Joachim Metz
Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption
IFIP WG 11.9 International Conference on Digital Forensics

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten
Lest we remember: cold-boot attacks on encryption keys
USENIX Security 2008

Tilo Muller, Michael Spreitzenbarth, and Felix C. Freiling
Frost Forensic Recovery of Scrambled Telephones
ACNS 2013



Real malware

Mark W. Eichin and Jon A. Rochlis
With microscope and tweezers: the worm from MIT's perspective
Communications of the ACM

W32.Stuxnet.Dossier White paper



Final project presentations