Description
Please Follow Requirements in the Syllabus as it is very important for this class. Linux needs to be used.
Unformatted Attachment Preview
Northeastern Illinois University
Department of Computer Science
CS362-1 DIGITAL FORENSICS
Instructor: Manar Mohaisen
Email: [email protected]
Office: CBT 146
Office Hours: Tue 4:30-5:30 pm (in-person), Tue/Thu 9:30-10:30 am (online)
Zoom meeting: https://neiu-edu.zoom.us/j/9627000353
Spring 2024
Tuesday
7:05 pm–9:45 pm
LWH 2094
Course description: Digital forensic science concerns digital data acquisition, recovery, and investigation. This
course introduces computer components, storage devices, and file systems. Topics covered include forensic
algorithms, operating systems artifacts analysis, files analysis, network attacks and forensics, Internet artifacts
emphasizing browser and mail applications, and memory forensics. Students will use tools and create scripts for
digital forensic investigation.
Prerequisites: CS-207, CS-355, or CS-360 and ENGL 101 with a minimum grade of C.
Course objectives: The objectives for this course are divided into three categories: 1) introducing the
fundamentals of digital forensics and related computer, security, and cryptographic concepts, 2)
introducing several forensics fields, including operating system forensics, network forensics, email, and
social media forensics, malware forensics, and mobile forensics, and 3) introducing digital forensic tools
and hands-on implementation of digital investigation.
Course outcomes: By the end of this course, students will:
•
•
•
•
•
•
•
•
•
•
•
•
Understand the fundamental concepts of digital forensics, including chain of custody and
forensic investigation process
Master basic forensic scripting using Python and operating system fundamental commands
Understand hard disks, filesystems, and media devices that might contain forensic data
Be able to perform data acquisition and analysis
Understand Windows, Linux, and Mac operating systems artifacts and be able to collect their
forensic data
Understand fundamental networking concepts, network logging, and log analysis
Be able to perform network traffic investigation and essential incident response
Understand email systems, email crimes, and investigating email crimes
Be able to classify types of malware and perform basic static and dynamic malware analysis
Understand mobile threats and mobile forensics process
Demonstrate mastery of writing-to-learn through brainstorming and critical thinking
Demonstrate mastery of writing-in-the-discipline to generate technical reports in the fields of computer
security and digital forensics
Recommended Textbooks:
•
Bill Nelson, Amelia Phillips, and Christopher Steuart, Guide to Computer Forensics and Investigations,
6th edition. Cengage Learning, 2019, ISBN-13: 978-1337568944.
Northeastern Illinois University
Department of Computer Science
•
•
Andre Arnes (editor), Digital Forensics. Wiley, 2018. ISBN-13: 978-1119262381.
John Sammons, The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics, 2nd
edition. Syngress, 2015, ISBN-13: 978-0128016350.
Class webpage:
•
D2L: https://neiu.desire2learn.com/
Tentative Brief Content:
•
•
•
•
•
•
•
•
Module 1: Digital Forensics, Forensic Laws, and Investigation Process
Module 2: Scripting, Linux Command Line, and Hashing
Module 3: Hard Disks, File Systems, and Media Devices
Module 4: Data Acquisition, Evidence Collection, and Memory Forensics
Module 5: Windows Forensics
Module 6: Linux & Mac Forensics
Module 7: Network Forensics
Module 8: Malware Forensics
Tentative course schedule:
Week 1: Digital Forensics, Forensic Laws, and Investigation Process
Topics: Definitions and Objectives | Cybercrimes | Federal rules of evidence | Types of investigation |
Phases of investigation process | Digital Forensics’ related US Laws | Digital forensic cases
Week 2: Scripting, Linux Command Line, and Hashing
Topics: Python Language (language design paradigms, data types: int, float, complex, str, list, dict, set,
bytes | functions | basic classes) | Linux (‣ History of Linux and open source systems ‣ Kali Linux ‣ File
Hierarchy Standard ‣ Linux files and file types ‣ fundamental commands ‣ package update/install) |
Hashing (‣ cryptographic ‣ non-cryptographic ‣ fuzzy and locality-preserving, locality-sensitive hashing) |
Windows command line and PowerShell (Basic commands, file/directory commands, networking
commands, drives/partitions commands, environment commands, services commands) | Creating virtual
machines and networks | File signature analysis | Hiding secrets in images (basic steganography)
Week 3-4: Hard Disks, File Systems, and Media Devices
Topics: Hard Disk Drive (HDD) | Solid-State Drive (SSD) | Disk Interfaces | Clusters and Slack Space |
Master Boot Record (MBR) | BIOS Parameter Block (BPB) | Booting Process of Windows | Booting
Process of Linux | File Systems | Windows and Linux disk analysis commands
Week 5-6: Data Acquisition, Evidence Collection, and Memory Forensics
Topics: Data acquisition (‣ live acquisition and order of volatility ‣ dead acquisition ‣ logical acquisition ‣
sparse acquisition) | Bitstream imaging (‣ disk-to-image ‣ disk-to-disk) | Data acquisition formats (‣ raw
format ‣ proprietary format ‣ advanced forensic format – AFF/AFF4) | Data acquisition methodology (‣
determine data acquisition method ‣ determine data acquisition tool ‣ sanitize the target media ‣ acquire
volatile data ‣ enable write protection on the evidence media ‣ acquire non-volatile data ‣ plan for
Northeastern Illinois University
Department of Computer Science
contingency ‣ validate data acquisition) | Windows and Linux data and memory acquisition and analysis
commands
Week 7-10: Windows Forensics
Topics: Collecting volatile information | collecting non-volatile information | memory analysis | registry
analysis | Windows registry analysis | web browser artifacts: cache, cookies, and history analysis |
Windows file analysis | metadata investigation | event logs analysis | Processes analysis | Print spool
analysis | Crash dump analysis | RAM acquisition | Windows forensics using Python
Week 11-13: Linux Forensics
Topics: Linux file structure and essential files/directories | Linux firewall and services | collecting Linux
volatile data | collecting Linux non-volatile data | Linux filesystem image analysis | Linux memory
forensics | Linux auditing system | Linux security auditing | Linux information gathering and
fingerprinting | Digital forensic platforms (Autopsy and Sleuth) | Investigating evidence from system logs
Week 14: Network Forensics
Topics: Networking Basics (‣ ISO/OSI model & TCP/IP protocol suite ‣ Protocols & addressing (‣ ARP ‣
IPv4 ‣ IPv6 ‣ ICMP ‣ TCP ‣ UDP ‣ NAT ‣ DNS ‣ DHCP)) | Network components (‣ hub ‣ switch ‣ bridge
‣ router ‣ firewall ‣ router ‣ DMZ) | Network attacks (‣ wired network attacks ‣ wireless network attacks ‣
indicators of compromise (IoC) ‣ collecting network-based evidence) | Network logging | Event
correlation (‣ event correlation steps ‣ types of event correlation ‣ event correlation approaches) |
analyzing network logs | network traffic investigation (‣ network sniffing ‣ traffic analysis for attack
attempts)
Week 15: Malware Forensics
Topics: Definitions | Types of malware | Malware spreading | Components of malware (‣ crypter ‣
downloader ‣ dropper ‣ exploit ‣ injector ‣ obfuscator ‣ packer ‣ payload ‣ malicious code) | Portable
executable file format (PE file format) | Types of malware analysis (‣ static ‣ dynamic) | Static analysis
using Linux commands and Python | Introduction to malware analysis
Week 16: Final Exam or Project Presentations
Laboratory & reports: We will have 15 lab sessions. Attending the labs is mandatory. Students should submit a
report within one week of each lab session. The report should include a 150-200 words non-technical summary of
the lab and a technical report of the results of performing the lab in the class under the supervision of the
professor. The report should consist of at least four (4) A4 pages, single space, and a font size of 12. You might
finalize the lab after the lab session. The report with the lowest score will be dropped.
Grading policy: Your course’s grade will be the weighted average of the following.
Category
Project
Laboratories & reports
Attendance, participation & integrity
Weight
20%
70%
10%
Percentage
[90, 100]
[80, 90[
[70, 80[
[60, 70[
[0, 60[
Grade
A
B
C
D
F
Northeastern Illinois University
Department of Computer Science
(*)
Students might work in groups of up to 3 students. Projects will be assigned 4 weeks before the final
presentation date.
Available resources:
•
•
•
Office hours: Office hours will be in-person or via Zoom (check the list of office hours on top of the first
page of the syllabus).
Appointments: You can always ask for a one-on-one meeting if the regular office hours overlap with
your other classes or your work schedule or if you need more time to discuss the material with the
instructor.
E-mail: You can ask as many questions as you wish through email. I reply within 48 hours from the time
I receive your email. I may offer you a one-on-one meeting to discuss your questions if necessary.
Course General Policies
AI Policy: ChatGPT, Bard, or any similar model is strictly prohibited during the completion of homework
assignments and examinations for this course. These assessments are designed to evaluate individual
understanding, critical thinking skills, and the application of course concepts. External assistance undermines
these evaluations’ purpose and compromises the learning process’s integrity. Students must depend on their own
knowledge, skills, and efforts to demonstrate their understanding of the course material. Students’ commitment to
upholding the principles of academic integrity is essential for the fair evaluation and successful learning
experience of all participants in this course. Violating any element of this policy will be considered plagiarism
and will be addressed accordingly.
Phone, Tablet, and Laptop Use Policy:
•
•
•
•
These devices should be used for educational purposes only, including taking notes and checking course
materials.
Avoid using any of these devices for texting, making or receiving calls, or visiting social media websites
during the class.
In case of an emergency and you deem it urgent to receive a call or respond to a message, you can leave
the classroom for a brief period to do so.
Any violations will result in loss of “attendance, participation & integrity” points.
Attendance: Attendance is mandatory.
Plagiarism: The first plagiarism occurrence will mean an F for the submitted work. The second occurrence will
mean an F in the course.
Academic Integrity Policy: By enrolling in this course, you are bound by the NEIU Student Code of Conduct:
http://www.neiu.edu/university-life/student-rights-and-responsibilities/student-code-conduct. You will be
informed by your instructor of any additional policy specific to your course regarding plagiarism, class
disruptions, etc.
ADA Statement: Northeastern Illinois University (NEIU) complies with the Americans with Disabilities Act
(ADA) in making reasonable accommodations for qualified students with disabilities. To request
Northeastern Illinois University
Department of Computer Science
accommodations, students with special needs should make arrangements with the Student Disability Services
(SDS) office, located on the main campus in room D104. Contact SDS via (773) 442-4595 or
http://www.neiu.edu/university-life/student-disability-services.
Campus Safety: Emergency procedures and safety information can be found at neiu.edu/police. Download the
CampusShield app on Google Play or the App Store for enhanced public safety services, including emergency
text notifications via Northeastern’s N-Safe system.
Northeastern Illinois University
Department of Computer Science
CS-362 DIGITAL FORENSICS
LAB 7: WINDOWS FORENSICS – PART II
Instructor: Manar Mohaisen
Email: [email protected]
Lab Requirements
1. Microsoft Windows virtual machine
2. McAfee Bit Text
3. Belkasoft Live RAM Capturer
4.
Content
Part I: Windows Crash Dump ___________________________________________________________ 1
Part II: Collecting Process Information ___________________________________________________ 3
Part III: RAM Acquisition ______________________________________________________________ 5
Part I: Windows Crash Dump
STEP 1: In case of system failure, Windows 11 stores the memory backup. The memory backup, or crash
dump, can later be used by the users or investigators to collect information about system state, memory
locations, applications and program status, etc. Windows 11 can create any of the following memory
dumps. Startup and Recovery window is accessible through the following: SYSTEM > ABOUT >
ADVANCED SYSTEM SETTINGS > ADVANCED > STARTUP AND RECOVER > SETTINGS [> WRITE
DEBUGGING INFORMATION]
Northeastern Illinois University
Department of Computer Science
1
2
3
4
5
6
7
8
9
10
# The memory crash dump is located in %SystemRoot%memory.dmp
C:Windows> dir *.dmp
Volume in drive C has no label.
Volume Serial Number is B879-6382
Directory of c:Windows
02/16/2022
05:13 PM
420,822,909 MEMORY.DMP
1 File(s)
420,822,909 bytes
0 Dir(s) 68,369,600,512 bytes free
STEP 2: Use the dumpchk to analyze the crash dump files. The command dumpchk is from the Windows
Debugging Tools (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
1
2
3
4
5
6
7
8
9
10
11
# The bugcode is of interest for the debugging process, much more information
# is displayed.
C:Program Files (x86)Windows Kits10Debuggersx64>dumpchk
C:WindowsMEMORY.DMP | findstr “Bug*”
BugCheckCode
000000ef
BugCheckParameter1 ffffc101`45a31080
BugCheckParameter2 00000000`00000000
BugCheckParameter3 00000000`00000000
BugCheckParameter4 00000000`00000000
fffff807`18f30000 fffff807`18f43000
CompositeBus 063F7A78 (This is a
reproducible build file hash, not a timestamp)
Northeastern Illinois University
Department of Computer Science
12
13
14
15
fffff807`19510000 fffff807`1951d000
NdisVirtualBus
reproducible build file hash, not a timestamp)
*
Bugcheck Analysis
*
7C5FA602 (This is a
Part II: Collecting Process Information
STEP 3: Instead of analyzing the whole memory or all the running processes/services, investigators
might be interested in analyzing a single or a group of services. To do that, one can dump a given
service by performing the following steps.
STEP 4: The tools pslist (from Sysinternals tools) or tasklist. Use pslist /? or tasklist /? for more
information about these two tools.
1
2
3
4
5
6
7
8
9
10
11
12
13
# -a: all connections.
C:worktools> pslist -nobanner
Process information for WINDEV2112EVAL:
Name
Idle
System
Secure System
Registry
…
Notepad
pslist
clip
Pid Pri Thd Hnd
0
0
4
0
4
8 134 3162
56
8
0
0
108
8
4
0
Priv
60
36
184
8300
CPU Time
11:21:35.890
0:24:59.109
0:00:00.000
0:00:06.234
Elapsed Time
39:30:16.241
39:30:16.241
39:30:26.331
39:30:26.132
6272
9704
6212
24268
3372
1000
0:00:10.390
0:00:00.296
0:00:00.000
0:11:17.269
0:00:00.274
0:00:00.260
8
13
8
7
3
3
828
213
65
STEP 5: To dump the memory of a particular process, use the command procdump (from Sysinternals
tools).
1
2
3
4
5
6
7
8
9
10
11
# -mm: mini dump
# -ma full dump
# -mt triage dump
# -mk ‘kernel’ dump
# dump theNotepad process
C:worktools> procdump -nobanner -mm 6272
[07:45:17] Dump 1 initiated: c:worktoolsNotepad.exe_220222_074517.dmp
[07:45:18] Dump 1 complete: 3 MB written in 0.3 seconds
[07:45:18] Dump count reached.
Northeastern Illinois University
Department of Computer Science
STEP 6: To display the content of the dump, you might use the McAfee’s BinText tool. The tool is not
available anymore on MacAfee website, but it could be downloaded at github.com/mfput/McAfeeTools, among other useful tools. Once BinTxt is installed, run it and open the memory dump created in
Step 5.
In the above BinText view, scroll down and check the different types collected information.
STEP 7: A process has a unique identifier (known as process ID or PID). When a process is created, a set
of handles are created, which can be used by its internal functions to access resources. Such handlers
have a similar concept to pointers in certain programming languages, like C.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# List all processes and their handlers – a long list
C:worktools> handle
# a long list of services and handles is displayed
# display the handles associated with a particular process
C:worktools> handle -p 10116
48: File (RW-)
1CC: File (RW-)
234: Section
2B0: File (R-D)
370: Section
380: Section
384: File (R–)
464: File (R-D)
498: Section
4A8: Section
C:WindowsSystem32
C:WindowsTempvmware-vmsvc-SYSTEM.log
BaseNamedObjectswindows_shell_global_counters
C:WindowsSystem32en-USKernelBase.dll.mui
BaseNamedObjects__ComCatalogCache__
BaseNamedObjects__ComCatalogCache__
C:WindowsRegistrationR000000000006.clb
C:WindowsSystem32en-USmpr.dll.mui
BaseNamedObjectsHGFSMEMORY
BaseNamedObjectswindows_shell_global_counters
Northeastern Illinois University
Department of Computer Science
STEP 8: To list the executable and list dynamic link library (DLL files) loaded into processes, use the
command listdlls.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# List all processes and loaded dll files – a long list
C:worktools> listdlls
# a long list of services and handles is displayed
# display the dlls associated with a particular process
C:worktools> listdlls notepad.exe
———————————————————————–Notepad.exe pid: 8832
Command line: “C:Program
FilesWindowsAppsMicrosoft.WindowsNotepad_11.2112.32.0_x64__8wekyb3d8bbwe
NotepadNotepad.exe”
Base
Size
Path
0x00000000ac0b0000 0x76000
C:Program
FilesWindowsAppsMicrosoft.WindowsNotepad_11.2112.32.0_x64__8wekyb3d8bbwe
NotepadNotepad.exe
0x0000000006ca0000 0x209000 C:WindowsSYSTEM32ntdll.dll
0x0000000005890000 0xbd000
C:WindowsSystem32KERNEL32.DLL
0x00000000046a0000 0x374000 C:WindowsSystem32KERNELBASE.dll
0x0000000006c00000 0x5d000
C:WindowsSystem32SHLWAPI.dll
0x0000000006460000 0xa3000
C:WindowsSystem32msvcrt.dll
0x00000000055b0000 0x1ac000 C:WindowsSystem32USER32.dll
0x0000000004a20000 0x26000
C:WindowsSystem32win32u.dll
0x0000000006980000 0x29000
C:WindowsSystem32GDI32.dll
0x00000000042b0000 0x112000 C:WindowsSystem32gdi32full.dll
0x0000000004600000 0x9d000
C:WindowsSystem32msvcp_win.dll
0x0000000004190000 0x111000 C:WindowsSystem32ucrtbase.dll
Part III: RAM Acquisition
STEP 9: RAM can be acquired during live acquisition. The free Belkasoft RAM Capturer or AccessData
FTK Imager can be used for this purpose.
STEP 10: The following is a snapshot of the main screen of the Belkasoft RAM Capturer. The memory
dump is located in the specified folder and is of .mem extension.
Northeastern Illinois University
Department of Computer Science
Purchase answer to see full
attachment
