INCS 712: Computer Forensics

INCS 712: Computer Forensics

 Spring 2007, Fall Term 2006

New York Institute of Technology-Amman's Campus

http://www.just.edu.jo/~tawalbeh/nyit/incs712.html


Announcements

  • Class room is: C104
  • The articles are posted on the web.
  • Sunday 12/11/2006 will be OFF.
  • GSM forensic article and presentation are posted now
  • Article and presentation about "Checking Microsoft for signs of compromise"
  • Unix security and forensics presentation is posted.
  • Bluetooth technology/security nice interesting presentation is posted
  • Wireless forensics presentation is now on the web!
  • Special Thanks for Rami AL-Attar who provided us with many useful tools, and material
  • And thanks for all of for the tools and the nice participations..

Reading Assignments

  • The reading assignments will be distributed in the class/by email

Exams

  • The final exam will be a take home exam. It will be sent to you by email.

Course Description

This course concerns with the post-analysis of computer systems that have been compromised. In this course, we will study forensic tools and techniques that combine information accumulated from various systems to reconstruct the behaviors and actions of cyber criminals. Computer forensics focuses on reconstruction of events that lead to the system corruption, with the main goals of recovering critical data and learning techniques used by hackers to help improving the protection of the systems and prevent similar attacks in the future.

Prerequisites/Corequisites

INCS 615 : Network Security and Perimeter Protection
CSCI 620 : Operating System Security


Course Topics/Handouts/Presentations:

  • An overview of Computer Forensics. Slides

  • An examination of digital forensic Model. Article
  • Computer Crimes: Presentation by Hadil Antwan
  • User Activtity Tracing :Browser Log Files and Recycle Bin Deciphered. Presentation prepared by Mahmoud Abu Also'ud and Rami Al-Khateeb, Leen Arikat
    • Track and examine web browsing activity and deletion of files through the Windows recycle bin that took place on a certain computer.

    • Deciphers Internet Explorer's ever-growing internal history/cache file index.dat. Displays complete URLs, date and time of the last visit, user names, file sizes, filename extensions, and more. Allows to sort by any criterion. Reads from one more more files you specify, or searches complete folders and subfolders, or even entire hard disks (or raw images of hard disks) in allocated space, free space, and slack space, for traces of someone having surfed the Internet. Occassionally, accesses to local files are logged, too. You may search for specific domain, file, and user names.

    • Also deciphers the browser history file "history.dat" produced by Mozilla/Firefox and the browser cache file "dcache4.url" created by the Opera browser.

    • Also deciphers the hidden Windows recycle bin file info2 located in every Recycled/Recycler folder. Displays the original path and filename, date and time of deletion, file size, and more, sometimes even if the recycle bin has been emptied

  • Computer Forensics Editing: presentation prepared by Lo'ai Hattar and Omar Zayadat
    • Disk editor for hard disks, floppy disks, CD-ROM & DVD, ZIP, Smart Media, Compact Flash, ...
    • Native support for FAT, NTFS, Ext2/3, ReiserFS, Reiser4, UFS, CDFS, UDF
    • Built-in interpretation of RAID systems and dynamic disks
    • Various data recovery techniques
    • RAM editor, providing access to physical RAM and other processes' virtual memory
    • Data interpreter, knowing 20 data types
    • Editing data structures using templates (e.g. to repair partition table/boot sector)
    • Concatenating and splitting files, unifying and dividing odd and even bytes/words
    • Analyzing and comparing files
    • Particularly flexible search and replace functions

     

  • Data Recovery:  presentation prepared by Rami Sabatin and Hadil AntwanIbrahim Shurbaji
    • Recovering files from logically corrupted or formatted drives. Study two separate, fully automated data recovery mechanisms to maximize the chances of success. One mechanism works with files of any type, the other one recovers JPG, PNG, GIF, TIFF, BMP, MS Word/Excel/PowerPoint (DOC/XLS/PPS/...), RTF, MS Access (MDB), PostScript (EPS), Acrobat (PDF), Quicken (QDF), HTML, XML, DBX, PST, CAD (DWG), PSD, ZIP, GZ, RAR, RIFF (WAV, AVI), Real Audio/Media (RA, RAM, RM), Quicktime (MOV), Windows Media (ASF) and MPEG (MPG). Specifically supports FAT12, FAT16, FAT32, and NTFS.

     

  • Evidence Collector: Mo'utasem Hamour and Ibrahim AlqaroutRadwan Abu Jassar

    • Search text on hard disks and retrieves the context of keyword occurrences on computer media, not only by examining all files (the entire allocated space, even Windows swap/paging and hibernate files), but also currently unallocated space and so-called slack space. That means it will even find data from files that have been deleted, if physically still existing. Please note that Evidor cannot access remote networked hard disks.

    • Find and gather digital evidence on computer media. Evidor also comes most handy in civil (pre-)litigation if one party wants to examine (inspect) the computers of the other party. Evidor can be used on site for electronic discovery, will usually not disclose unrelated proprietary or confidential information and does not impose an undue burden on the responding party in terms of personnel, time and money. Evidor serves as an automated forensic examiner, saving you the cost of many hours of hard manual expert work. Evidor produces reliable, replicable, neutral, and simple results, just as needed before court. Powerful and fast. 

     

  • Permanent Erasing: Mohammad Al-omari and Yousef Aburabia Murad Ali

    • Delete selected confidential files securely, such that they are not recoverable.
    • Wipe free drive space and clear slack space, to get rid of sensitive data from deleted files, esp. temporary files.
    • Clean formerly used NTFS file records, which contain filenames and other data
    • Erase logical drives or entire physical disks completely and irreversibly, e.g. to produce forensically clean target media or to sanitize media before re-use in a different environment of before donating.
    • Trusted download: copy files from classified media without slack space overhang
    • Try This Free Erasing Tool

 

   

 

 

 

 

 


Textbook

  • "Forensics and Cyber Crime: An Introduction.  by Marjie T. Britz . Prentice Hall (August 01, 2003)  ISBN: 0130907588.

           

References

  1. Computer Forensics, Computer crime scene investigations. J. Vacca, Charles River Media, 2nd edition, 2005
  2. Guide to Copmuter Forensics and Investigation. B. Nelson, A. Philips, etc. Thomson Course Technology 2rd ed., 2006

Grading Policy

  • Reading Articles Assignments: 20 %  
  • Papers and Presentations: 40 %
  • Final: 40 %

Dr. Lo'ai A. Tawalbeh