The course is roughly divided in two separate parts. The first covers the topics of computer forensics and incident response. In particular, we discuss a number of techniques and open source tools to acquire and analyze network traces, hard disk images, Windows and Linux operating system artifacts, log files, and memory images. The focus is on the technical and research aspects, with very little regarding regulations and administrative aspects.
The second part of the course deals with the analysis of unknown binaries. Here the goal is to introduce students to the main classes of techniques used in malware analysis and reverse engineering. We cover both static techniques (ELF and PE file structures, dissasseblers and decompilers, data and control flow analysis, abstract interpretation, ...) and dynamic techniques (sandboxing, library and syscall traces, dynamic instrumentation, debugging, taint analysis, unpacking,...). We will use mostly open source tools, with the exception of IDA Pro.
The course includes a mid-term and a final homework assignments in the form of an online game in which students play the role of an investigator who has to uncover a number of forensic artifacts and reverse engineer a custom malware binary.
A number of small projects are also proposed during the lectures. The
goal is to ask students to develop (alone or in small groups) little
tools to solve existing problems in the fields of computer forensics
and binary analysis.
I'm very satisfied about some of the results. For example, these are some of the projects developed in past editions:
Software Development (or simply SoftDev) is an introductory course that teach students how to use Linux (and in particular the command line) to solve common problems. The course covers three topics:
During the course, students receive the credentials to login into a challenge machine, in which they have to solve a number of increasingly difficult assignments. For each of them, they are required to develop and submit a piece of software (or a sequence of commands on the shell) to solve a given problem. All codes are tested automatically and every time a challenge is solved, the next one in the same category is unlocked.