CS 695 Host Forensics

Spring 2013
Instructor	Georgios Portokalidis
Teaching assistant	Ruilin Liu
Time	Tuesday 6:15pm-8:45pm
Location	Lieb 319
Office hours	By appointment

Overview | Prerequisites | Course material | Grading | Schedule

Overview

Host Forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological and not on the legal components of the topic. The emphasis is on the host aspect. The technical aspect addresses the analysis of different attack types and the intrusion process, how to identify an attack and the evidence left behind, and technologies that can be used to assist in the analysis of obtained data or in obtaining more data. We will look into methodologies for recovering data from persistent storage and memory. Investigate the use of virtual machines in providing auditing capabilities to analysts and in setting traps for attackers. We will also learn about reverse engineering binaries, and advanced techniques that aim to expose the way they work and their purpose.

Prerequisites

The course requires good programming skills (C, C++), including some knowledge of x86 assembly. Also, a basic background in operating systems (mainly UNIX), networking, and security.

Course prereqs:

CS 506 Introduction to IT Security
CS 392 Systems Programming or CS 631 Advanced Programming in the UNIX Environment

Course material

The course does not require a textbook, however the following material could be useful:

Keith J. Jones, Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, Brian Carrier, Computer Forensics Library Boxed Set (contains Forensic Discovery, Real Digital Forensics, and File System Forensic Analysis), Addison-Wesley Professional
Chris Eagle, The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler, No Starch Press
Warren G. Kruse II, Jay G. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley Professional (This could be of particular interest to students interested in forensics and law enforcement)

Several of the topics covered during the course will be supported by research papers and articles available online. Please see the week-by-week schedule for more information.

Grading

Class participation	10%
Homework	30%
Project	40%
In-class presentations	20%

Note that exceptional work will be rewarded with bonus points.

Project

The goal of the project is to demonstrate that you have understood the material and that you can utilize your skills to solve problems in the host forensics domain. The projects will be evaluated primarily based on how well you think about problems, understand the issues involved, and are able to formulate and execute a research plan to address the problem. You can choose to explore new (i.e., publishable) ideas, which can earn you bonus points and even a publication, but you can also do well by analyzing, evaluating, and understanding the limits and key concepts of existing research.

The first step for the project will be preparing a proposal. This will help you commit to a particular project, and think in-depth about the steps that must be accomplished by the end of the course and scheduling the necessary tasks. At the end of the course you should present the results of your project by writing a paper, presenting experimental results, demonstrating developed tools etc. The final deliverable should be in the form of a research paper like the ones covered in the lectures.

Read the following guides for help on writing papers:

Tips for Writing a Technical Paper, by Jennifer Widom
An evaluation of the Ninth SOSP Submissions, or How (and How Not) to Write a Good Systems Paper, by Roy Levin and David D. Redell
Collected Advice on Research and Writing, by Mark Leone

In-class presentations

Each student will also be called to give a 45-minute presentation of a research paper of his choice (please check with me first) in one of lectures. Available slots are listed in the week-by-week schedule. While one of the papers in the readings list will do, students are encouraged to look for related papers in one of the recent top systems or security conferences. Such conferences are: SOSP, OSDI, Security & Privacy, CCS, USENIX Security, USENIX ATC, NDSS, ESORICS, RAID, and ACSAC. Also consider conferences focusing on digital forensics, like IFIP WG 11.9 International Conference on Digital Forensics and DFRWS.

Homework

Assignments will be given in the classroom weekly or bi-weekly depending on covered material.

Week-by-week schedule

The schedule is tentative and may change in the future. Last update 4/23/2013

Date	Subject	Readings	Assignments
1/15/13	Introduction and course logistics	Lecture slides Forensic Discovery, Chapter 1, Sections 4.1-4.6, Chapter 7, Sections 8.1-8.5 Computer Forensics: Incident Response Essentials, Chapter 1
1/22/13	Identifying important/relevant information The importance of time Filesystem basics	Lecture slides Forensic Discovery, Chapter 2, Sections 2.1-2.5, 2.7-2.10, Chapter 3, Chapter 4, Sections 4.1-4.9 The Sleuth Kit	Assignment01
1/29/13	Recovering deleted files File carving Examining memory Memory persistent information	Lecture slides Forensic Discovery, Chapter 4, Section 4.10 Real digital forensics, Chapter 9 Anandabrata Pal and Nasir Memon The Evolution of File Carving Signal Processing Magazine, March 2009 Jim Chow, Ben Pfaff, Tal Garfinkel, Kevin Christopher, and Mendel Rosenblum Understanding Data Lifetime via Whole System Simulation USENIX Security 2004	Assignment02
2/5/13	Auditing using virtual machines Student presentation slot	Lecture slides Samuel T. King, George W. Dunlap, and Peter M. Chen Debugging operating systems with time-traveling virtual machines USENIX ATC 2005 Jim Chow, Tal Garfinkel, and Peter M. Chen Decoupling dynamic program analysis from execution in virtual environments USENIX Security 2008 Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis and Herbert Bos Paranoid Android: versatile protection for smartphones ACSAC 2010
2/12/13	Honeypots and decoys Student presentation slot	Lecture slides Bill Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied USENIX 1990 Niels Provos A Virtual Honeypot Framework USENIX Security 2004 Georgios Portokalidis, Asia Slowinska and Herbert Bos Argos: an Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation EuroSys 2006 Lance Spitzner Honeypots: Catching the Insider Threat ACSAC 2003 Brian M. Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Angelos D. Keromytis, and Salvatore J. Stolfo BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection RAID 2010	Assignment03
2/19/13	Monday class schedule No class
2/26/13	Reverse engineering binaries Debuggers and disassemblers	Lecture slides Christopher Kruegel, William Robertson, Fredrik Valeur and Giovanni Vigna Static Disassembly of Obfuscated Binaries USENIX Security 2004 IDA Pro Book	Assignment04
3/5/13	Project proposal presentations
3/12/13	Spring recess No class
3/19/13	Discovering data structures Student presentation	Lecture slides Anthony Cozzie, Frank Stratton, Hui Xue, and Samuel T. King Digging For Data Structures OSDI 2008 Zhiqiang Lin, Xiangyu Zhang and Dongyan Xu Automatic Reverse Engineering of Data Structures from Binary Execution NDSS 2010 Asia Slowinska, Traian Stancescu, and Herbert Bos Howard: a dynamic excavator for reverse engineering data structures NDSS 2011
3/26/2013	Malware analysis Student presentation	Lecture slides Fanglu Guo, Peter Ferrie and Tzi-cker Chiueh A Study of the Packer Problem and Its Solutions RAID 2008 Dinaburg, Artem and Royal, Paul and Sharif, Monirul and Lee, Wenke Ether: malware analysis via hardware virtualization extensions CCS 2008 Paolo Milani Comparetti, Guido Salvaneschi, Engin Kirda, Clemens Kolbitsch, Christopher Kruegel, Stefano Zanero Identifying Dormant Functionality in Malware Programs S&P 2010 Carsten Willems, Ralf Hund, Andreas Fobian, Dennis Felsch, and Thorsten Holz Down to the Bare Metal: Using Processor Features for Binary Analysis ACSAC 2012	Assignment05
4/2/13	Hiding malware, rootkits Student presentation	Lecture slides Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch SubVirt: Implementing malware with virtual machines S&P 2006 Wang, Zhi and Jiang, Xuxian and Cui, Weidong and Ning, Peng Countering kernel rootkits with lightweight hook protection CCS 2009 Ralf Hund , Thorsten Holz , Felix C. Freiling Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms USENIX Security 2009 Arvind Seshadri, Ning Qu, and Adrian Perrig SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes SOSP 2007 hiding processes ( understanding the linux scheduler ) by ubra ==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x12 of 0x14 Raising The Bar For Windows Rootkit Detection by Sherri Sparks and Jamie Butler ==Phrack Inc.== Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14
4/9/13	Relating to the network Protocol reverse engineering	Lecture slides Real Digital Forensics: Chapters 2-5 Martin Roesch Snort - Lightweight Intrusion Detection for Networks LISA '99 W. Cui, J. Kannan, and H. J. Wang Discoverer: Automatic Protocol Reverse Engineering from Network Traces Usenix Security 2007 Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song Polyglot: Automatic extraction of protocol format using dynamic binary analysis CCS 2007 Z. Lin, X. Jiang, D. Xu, and X. Zhang Automatic protocol format reverse engineering through context-aware monitored execution NDSS 2008 Asia Slowinska and Herbert Bos The Age of Data: pinpointing guilty bytes in polymorphic buffer overflows on heap or stack ACSAC 2007
4/16/13	Hiding information, encryption, and bypasses Student presentation	Lecture slides Christian S.J. Peron and Michael Legary Digital Anti-Forensics: Emerging trends in data transformation techniques Seccuris Labs Omar Choudary, Felix Grobert, and Joachim Metz Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption IFIP WG 11.9 International Conference on Digital Forensics J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten Lest we remember: cold-boot attacks on encryption keys USENIX Security 2008 Tilo Muller, Michael Spreitzenbarth, and Felix C. Freiling Frost Forensic Recovery of Scrambled Telephones ACNS 2013	Assignment06
4/23/13	Real malware	Lecture slides Mark W. Eichin and Jon A. Rochlis With microscope and tweezers: the worm from MIT's perspective Communications of the ACM Symantec W32.Stuxnet.Dossier White paper
4/30/13	Final project presentations