--- title: 'CS6501: Cyber Forensics' tags: cs6501-spring22 --- # CS6501: Cyber Forensics * Time: **Tue/Thurs** **12:30~1:45 pm** (1h 15m) ## Introduction Today's computer systems are vulnerable. We have seen many high-profile cyberattacks in recent years affecting various infrastructures. Once a system is compromised, understanding how it is compromised and what we can do about the system is particularly important. This course aims to teach various techniques and knowledge to understand software systems in forensics’ perspectives at various levels. ### Automated (Malicious/Victim) Program Analysis for Cyber Forensics * You will learn **how to analyze and understand (malicious or victim) programs automatically** by leveraging dynamic and static program analysis techniques. We will learn how to build automatic tools via existing program analysis frameworks such as LLVM and Pin. ### Post-mortem Forensic Analysis * You will learn how to leverage **cyber forensics tools** to conduct a **post-mortem analysis**. Given a memory/disk dump file collected from the victim computer, we will learn how to navigate the complex code and data to understand what happened during the attack and how to trace back to the origin of the attack. Tools like Volatility (https://www.volatilityfoundation.org/) will be used. Moreover, we will learn how to gather forensic information from various files. For instance, reading undocumented file formats via file-format reverse engineering, and analyzing multiple files to identify corrupted logs, etc. ### Advanced Cyber Forensic Techniques * You will learn state-of-the-art cyber forensic techniques. For instance, one of the recent advances in **memory forensic** is the technique that can reproduce the program execution from the memory. From a memory dump of a dead process, you will learn how to resurrect the program execution. Moreover, we will look into advanced techniques to reverse-engineer malware to understand attackers’ intentions. ## Prerequisites This course does not have particular prerequisites. However, this course **assumes** that you are familiar with the **C programming language** and basic concepts from core courses (e.g., **CS2150**, **CS4401**, **Compiler**, **Programming Language**). If you are not familiar with those, you may have to spend **extra time** to learn those. The course will provide materials and guidance. * Plus 1: If you took **DADA (Defense Against Dark Arts)** or **Intro. to Cyber Security**, that would be a great plus. * Plus 2: It would be great if you have experience in **x86 assembly**, **compilers** (particularly back-ends, i.e., code generator), C programming language and **system/kernel programming**. ## Instructor Prof. Yonghwi Kwon * Email: yongkwon@virginia.edu * Office Hours: By appointments When you send an email regarding the class, please have ``[CS6501]`` (**no space** between CS and 6501) in your email subject. For example, ``[CS6501] Questions for Project 1``. I am using an email filter with ``[CS6501]``. So, if you emails do not have the correct heading in the subject, it might fall through the crack. Due to the large volumn of the emails I receive, if you don't add ``[CS6501]`` to the subject, I may not be able to find your email. * if you don't get a response, check your email's subject first. ## Linux environment Assignments will require a Linux environment. You should setup anticipate setting up a virtual machine if you don’t run Linux natively. Using VirtualBox and WSL version 2 are recommended. * VirtualBox: https://www.virtualbox.org/ * [VM Image](https://virginia.box.com/s/bpdrbz1y4jbuv2vwb6husodfqdx5vya8) / [VM Image (for 4K/Retina Display)](https://virginia.box.com/s/o1kv3yc2spyio5gnidzzspk3hc0nk3cy) * Password: `forensics` * In the VM image, I have installed and compiled the Pin. (check out ~/pin folder). * I did *not* turn off ASLR. Please refer the slides regarding Pin to turn off ASLR. * Please change the password! ### Instruction * First, download the file. * Second, import the file (File > Import Appliance > Select the downloaded ova file). * Below instructions are for those who want to use ssh into the VM. * If you are not familiar with ssh and do not want (prefer working directly on VM), please ignore the below instructions. * ssh configuration is just to make your life easy, and optional. You don't need to do it if you feel it is more hassle. * Third, use ssh terminal to connect 127.0.0.1:2200 (if you are using Linux, please specify username (i.e., swsec19) when you connect to the VM). * Fourth, change the password. The default credential is swsec19 (for both id/pw) * Fifth, to power off the machine, use "shutdown now" command (Don't just power off the VM, your file system may break). > *[Optional]* If you are installing an OS in VM by yourself and want to use ssh to log in, please configure port forwarding in your VM: https://medium.com/platform-engineer/port-forwarding-for-ssh-http-on-virtualbox-459277a888be ## Cheating **Please DO NOT cheat.** This course will be very serious about cheating. If you have technical difficulties, consult with the instructor early. Cheating may result in **F or more severe consequences**. We detect cheating with various methods including automated code analysis tools. We are not obligated to tell you that you got caught for cheating early in the semester. So if you cheat, you may hear that you will receive F or reported to the university, at the end of the semester, which will significantly impact your plan. Moreover, **do not share your code**. Even if you write your own code and share, you will be also in trouble. Even if you use code from the last semester, you will bring the code's original author into the trouble. **Please do not cheat. I believe I warned enough.** * If you took the course before and you have your old submission. We do not consider the resubmission of your own code, **if it only matches with your own old submission**. * That means, if you shared your code with someone, and we see another submission that matches with your submission, it will be counted as cheating. ## Policies ### Grading Policy We expect to determine grades as follows: | Assignments | Percentage of Final Grade | | -------- | -------- | | 3 Projects | 70% | | 6 Homeworks | 20% | | Participation | 10% | | **Total** | **100%** | * We will have 6 homeworks. Each homework is worth 5 points. Anyone who earns more than 20 points (getting 4 perfect answers) will have 20% for homework score. * If you earn more than 20 points, it will be counted as extra credit. Those extra credits will be considered when we get the final grade. ### Late Policy There will be 3 projects. * Late policy: 1 day late (10% penalty), 2 days late (20% penalty), 3 days late (50% penalty), more than (and including) 4 days late (100% penalty) * Late policy can be flexible under special circumstances. However, we will cover the answers during the class. Hence, once the answer is released, no new submissions can be accepted. To make up the score, one should consult with the instructor. * All projects and homeworks are **individual**. Discussions are acceptable (but you should mention how much you discussed with whom. Code sharing is strictly NOT allowed. If you are not sure, please consult with the instructor.) ### Honor Policies We expect all homeworks to be completed **individually**. You may not share code or consult assignment solutions from **previous semesters or other institutions**. You are encouraged, however, to discuss the assignments in general and provide advice to other students that **does not amount to sharing code, pseudocode, or instructions that otherwise essentially solve the assignment**. We may use automated tools to look for similarities between homework submissions that suggest excessive collaboration. Your submissions for homeworks **should not make extensive use of code found online**. Incidental use (very brief utility code that is clearly unrelated to any major objective of the assignment, like looking up code for splitting a string into an array) is okay, but **must be clearly cited**. If you are unsure whether something would qualify as “incidental”, please consult the course staff first. If we believe you have cheated, we may apply an arbitrarily harsh grade penalty up to and including an F in the course. This penalty is independent of (and potentially in addition to) any findings of the University Honor System. #### Special Circumstances If you may require an accommodation to fully access this course, please contact the Student Disability Access Center (SDAC) at (434) 243-5180 or sdac@virginia.edu. If you have other sorts of special circumstances, please also do not hestitate to contact the course staff about your circumstances. ## Accomodations If you need any kind of special accommodations, including but not limited to disability, learning needs, illness, or personal circumstances, please contact us as soon as you are aware of these needs. We aim to be as accommodating and fair as possible. If you are not sure if your situation warrants special attention, ask us.