CS 695 Host Forensics

Spring 2014
Instructor	Georgios Portokalidis
Time	Tuesday 11:00am-1:15pm
Location	Lieb 218
Office hours	Mondays 4-6pm
Mailing list	cs695 AT lists.stevens.edu

Overview | Prerequisites | Course material | Grading | Schedule

Overview

Host Forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological and not on the legal components of the topic. The emphasis is on the host aspect. The technical aspect addresses the analysis of different attack types and the intrusion process, how to identify an attack and the evidence left behind, and technologies that can be used to assist in the analysis of obtained data or in obtaining more data. We will look into methodologies for recovering data from persistent storage and memory. Investigate the use of virtual machines in providing auditing capabilities to analysts and in setting traps for attackers. We will also learn about reverse engineering binaries, and advanced techniques that aim to expose the way they work and their purpose.

Prerequisites

The course requires good programming skills (C, C++), including some knowledge of x86 assembly. Also, a basic background in operating systems (mainly UNIX), networking, and security.

Course prereqs:

CS 506 Introduction to IT Security
CS 392 Systems Programming or CS 631 Advanced Programming in the UNIX Environment

If you feel that you possess the skills to follow this course but have not taken the prerequisite courses, contact me to establish whether I can waive the requirements for the course.

Course material

The course does not require a textbook, however the following material could be useful:

Keith J. Jones, Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, Brian Carrier, Computer Forensics Library Boxed Set (contains Forensic Discovery, Real Digital Forensics, and File System Forensic Analysis), Addison-Wesley Professional
Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press
Warren G. Kruse II, Jay G. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley Professional (This could be of particular interest to students interested in forensics and law enforcement)

Several of the topics covered during the course will be supported by research papers and articles available online. Please see the week-by-week schedule for more information.

Grading

Class participation	20%
Assignments	20%
Project	40%
In-class presentations	20%

Exceptional work will be rewarded with bonus points.

Project

The goal of the project is to demonstrate that you have understood the material and that you can utilize your skills to solve problems in the host forensics domain.

The first step for the project will be preparing a proposal. It is important to be able to identify a problem, find related work, formulate a plan to solve it, and implement a solution.

At the end of the course you should present the results of your project by writing a paper, presenting experimental results, demonstrating developed tools etc. The final deliverable should be in the form of a research paper like the ones covered in the lectures.

The projects will be evaluated primarily based on correctness. You can choose to explore new (i.e., publishable) ideas, which can earn you bonus points and even a publication, but you can also do well by analyzing, evaluating, and understanding the limits and key concepts of existing research. Along with code deliverables, you should also submit a report describing the problem, discussing related work, and presenting your approach and implementation. Credit will be also given for evaluating the work on appropriate axes.

Read the following guides for help on writing papers that can help you with the report:

Tips for Writing a Technical Paper, by Jennifer Widom
An evaluation of the Ninth SOSP Submissions, or How (and How Not) to Write a Good Systems Paper, by Roy Levin and David D. Redell
Collected Advice on Research and Writing, by Mark Leone

In-class presentations

students will be called to give a 30 to 45-minute presentations of research papers provided as reading material in-class. Students are encouraged to also look for related papers in recent top systems or security conferences. Such conferences are: SOSP, OSDI, Security & Privacy, CCS, USENIX Security, USENIX ATC, NDSS, ESORICS, RAID, and ACSAC. Also consider conferences focusing on digital forensics, like IFIP WG 11.9 International Conference on Digital Forensics and DFRWS.

Following the presentations there will be in-class discussion, which will affect the participation grade.

Assignments

Assignments will be also given in the classroom with no more than 6 assignments given in the duration of the course.

Week-by-week schedule

The schedule is tentative and may change in the future.

Date	Subject	Readings	Assignments
1/14/14	Introduction and course logistics	Forensic Discovery, Chapter 1, Sections 4.1-4.6, Chapter 7, Sections 8.1-8.5 Computer Forensics: Incident Response Essentials, Chapter 1 Slides: Logistics, Introduction.
1/21/14	Identifying important/relevant information The importance of time Filesystem basics	Forensic Discovery, Chapter 2, Sections 2.1-2.5, 2.7-2.10, Chapter 3, Chapter 4, Sections 4.1-4.9 The Sleuth Kit Slides: Forensics Basics.
1/28/14	Recovering deleted files File carving Examining memory Memory persistent information	Forensic Discovery, Chapter 4, Section 4.10 Real digital forensics, Chapter 9 Slides: Recovering Data. Anandabrata Pal and Nasir Memon The Evolution of File Carving Signal Processing Magazine, March 2009 In-class discussion and presentation Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum Understanding Data Lifetime via Whole System Simulation USENIX Security 2004 Martin Karresand and Nahid Shahmehri Oscar — File Type Identification of Binary Data in Disk Clusters and RAM Pages IFIP International Federation for Information Processing Volume 201, 2006, pp 413-424	Assignment 1
2/4/14	Auditing using virtual machines	Slides: Auditing Using VMs. In-class discussion and presentation Samuel T. King, George W. Dunlap, and Peter M. Chen Debugging operating systems with time-traveling virtual machines USENIX ATC 2005 Jim Chow, Tal Garfinkel, and Peter M. Chen Decoupling dynamic program analysis from execution in virtual environments USENIX Security 2008 Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis and Herbert Bos Paranoid Android: versatile protection for smartphones ACSAC 2010
2/11/14	Honeypots and decoys	Bill Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied USENIX 1990 In-class discussion and presentation Niels Provos A Virtual Honeypot Framework USENIX Security 2004 Georgios Portokalidis, Asia Slowinska and Herbert Bos Argos: an Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation EuroSys 2006 Lance Spitzner Honeypots: Catching the Insider Threat ACSAC 2003 Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection RAID 2010
2/18/14	Monday class schedule No class
2/25/14	Reverse engineering binaries Debuggers and disassemblers Discovering data structures	IDA Pro Book In-class discussion and presentation Christopher Kruegel, William Robertson, Fredrik Valeur and Giovanni Vigna Static Disassembly of Obfuscated Binaries USENIX Security 2004 Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King Digging For Data Structures OSDI 2008 Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu Automatic Reverse Engineering of Data Structures from Binary Execution NDSS 2010 Asia Slowinska, Traian Stancescu, and Herbert Bos Howard: a dynamic excavator for reverse engineering data structures NDSS 2011
3/4/14	Project proposal presentations
3/11/14	Spring recess No class
3/18/14	Malware analysis	In-class discussion and presentation Fanglu Guo, Peter Ferrie and Tzi-cker Chiueh A Study of the Packer Problem and Its Solutions RAID 2008 Dinaburg, Artem and Royal, Paul and Sharif, Monirul and Lee, Wenke Ether: malware analysis via hardware virtualization extensions CCS 2008 Paolo Milani Comparetti, Guido Salvaneschi, Engin Kirda, Clemens Kolbitsch, Christopher Kruegel, Stefano Zanero Identifying Dormant Functionality in Malware Programs S&P 2010 Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, and Thorsten Holz Down to the Bare Metal: Using Processor Features for Binary Analysis ACSAC 2012
3/25/14	Hiding malware, rootkits	hiding processes ( understanding the linux scheduler ) by ubra ==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x12 of 0x14 Raising The Bar For Windows Rootkit Detection by Sherri Sparks and Jamie Butler ==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14 In-class discussion and presentation Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch SubVirt: Implementing malware with virtual machines S&P 2006 Wang, Zhi and Jiang, Xuxian and Cui, Weidong and Ning, Peng Countering kernel rootkits with lightweight hook protection CCS 2009 Ralf Hund , Thorsten Holz , Felix C. Freiling Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms USENIX Security 2009 Arvind Seshadri, Ning Qu, and Adrian Perrig SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes SOSP 2007
4/1/14	Mobile device forensics	Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou Cell Phone Forensic Tools: An Overview and Analysis NIST, October 2005 Andrew Hoog Android Forensics: Investigation, Analysis and Mobile Security for Google Android Shaﬁk G. Punja and Richard P. Mislan Mobile Device Analysis SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 2, NO. 1, JUNE 2008 Konstantia Barmpatsalou, Dimitrios Damopoulos, Georgios Kambourakis, and Vasilios Katos A critical review of 7 years of Mobile Device Forensics Digital Investigation Volume 10, Issue 4, December 2013
4/8/14	Relating to the network Protocol reverse engineering	Real Digital Forensics: Chapters 2-5 In-class discussion and presentation Martin Roesch Snort - Lightweight Intrusion Detection for Networks LISA '99 W. Cui, J. Kannan, and H. J. Wang Discoverer: Automatic Protocol Reverse Engineering from Network Traces Usenix Security 2007 Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song Polyglot: Automatic extraction of protocol format using dynamic binary analysis CCS 2007 Z. Lin, X. Jiang, D. Xu, and X. Zhang Automatic protocol format reverse engineering through context-aware monitored execution NDSS 2008 Asia Slowinska and Herbert Bos The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack ACSAC 2007
4/15/14	Hiding information, encryption, and bypasses	In-class discussion and presentation Christian S.J. Peron and Michael Legary Digital Anti-Forensics: Emerging trends in data transformation techniques Seccuris Labs Omar Choudary, Felix Grobert, and Joachim Metz Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption IFIP WG 11.9 International Conference on Digital Forensics J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten Lest we remember: cold-boot attacks on encryption keys USENIX Security 2008 Tilo Muller, Michael Spreitzenbarth, and Felix C. Freiling Frost Forensic Recovery of Scrambled Telephones ACNS 2013
4/22/14	Real malware	Mark W. Eichin and Jon A. Rochlis With microscope and tweezers: the worm from MIT's perspective Communications of the ACM Symantec W32.Stuxnet.Dossier White paper
4/29/14	Final project presentations