Cybercrime and Computer Forensics

The course is roughly divided in two separate parts. The first covers the topics of computer forensics and incident response. In particular, we discuss a number of techniques and open source tools to acquire and analyze network traces, hard disk images, Windows and Linux operating system artifacts, log files, and memory images. The focus is on the technical and research aspects, with very little regarding regulations and administrative aspects.

The second part of the course deals with the analysis of unknown binaries. Here the goal is to introduce students to the main classes of techniques used in malware analysis and reverse engineering. We cover both static techniques (ELF and PE file structures, dissasseblers and decompilers, data and control flow analysis, abstract interpretation, ...) and dynamic techniques (sandboxing, library and syscall traces, dynamic instrumentation, debugging, taint analysis, unpacking,...). We will use mostly open source tools, with the exception of IDA Pro.

The course includes a mid-term and a final homework assignments in the form of an online game in which students play the role of an investigator who has to uncover a number of forensic artifacts and reverse engineer a custom malware binary.

A number of small projects are also proposed during the lectures. The goal is to ask students to develop (alone or in small groups) little tools to solve existing problems in the fields of computer forensics and binary analysis.
I'm very satisfied about some of the results. For example, these are some of the projects developed in past editions:

  • PASTA, a SSH traffic analyzer (blog post and code on github) that implements several algorithms to detect stepping stone connections.
  • Actaeon (project page and paper), a volatility plugin to extract and analyze hypervisors and guest virtual machines.
  • Chromagnon (description and code on github), the first open source tool to parse the Chrome visited links files and the SNSS files.


Software Development

Software Development (or simply SoftDev) is an introductory course that teach students how to use Linux (and in particular the command line) to solve common problems. The course covers three topics:

  • Linux command line: The goal of this part is to learn the Unix philosophy and be able to quickly solve simple problems combining together a bit of sed, awk, grep, sort, ...
  • Python programming: When tasks get too complex to solve on a bash prompt.. it is time to switch to a more modern scripting language. In our case, Python.
  • Sofdev tools and tool-chain: This part covers several topics, from versioning with Subversion and Git, to compiling with GCC and Makefiles, up to using the autotools chain to create portable projects.

During the course, students receive the credentials to login into a challenge machine, in which they have to solve a number of increasingly difficult assignments. For each of them, they are required to develop and submit a piece of software (or a sequence of commands on the shell) to solve a given problem. All codes are tested automatically and every time a challenge is solved, the next one in the same category is unlocked.