Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 1 of 12
Network Forensics MET CS 703, Course Format (Blended), Fall 2017
Instructor Dr. Bhumip Khasnabish, PhD, AMCPM Visiting Prof. of Practice, Computer Science Dept., Metropolitan College Boston University Office hours: One hour prior to class or by prior arrangement Office Address: To be confirmed E-mail: [email protected] Course Description This course provides a comprehensive understanding of network forensic analysis principles. Within the context of forensics security, network infrastructures, topologies, and protocols are introduced. Students understand the relationship between network forensic analysis and network security technologies. Students will learn to identify network security incidents and potential sources of digital evidence and demonstrate the ability to perform basic network data acquisition and analysis using computer based applications and utilities. Students will also identify potential applications for the integration of network forensic technologies and demonstrate the ability to accurately document network forensic processes and analysis. Prereq: MET CS 625 and MET CS 695; or instructor's consent. Prerequisites Knowledge of information technology fundamentals (computer hardware, operating systems, applications and networking) is required. Additional information on Forensics can be found in Wikipedia (https://en.wikipedia.org/wiki/Network_forensics , http://forensicswiki.org/) and Open Source Digital Forensics Conference (OSDFCon, https://www.osdfcon.org/) publications. Successful completion of MET CS 625 and MET CS695, or instructor’s approval is also required.
Course Learning Objectives
Upon successful completion of this course you will learn how to:
Examine network evidence from a compromise by an attacker
Identify the attacker's actions from recording of logs, events and incidents
Analyze evidence from network, its infrastructure, and form(s)
Develop scientific hypotheses using forensic investigation tools
Test/revise hypotheses and articulate chronological findings
Recommended Course Books
1. Network Forensics, Ric Messier, Wiley, ISBN: 978-1-119-32828-5, August 2017
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 2 of 12
2. Network Attacks and Exploitation: A Framework, Matthew Monte, Wiley, ISBN: 978-1-118-987 {12-4, 08-7, 23-0}, 2015
3. Network Forensics: Tracking Hackers through Cyberspace, Sherri Davidoff and Jonathan Ham, Prentice Hall, ISBN-13:978-0132564717, ISBN-10:0132564718, 2012
4. Computer Forensics : Investigating Network Intrusions and Cyber Crime, EC-Council, ISBN-13: 978-1-4354-8352-1, ISBN-10: 1-4354-8352-9 (latest edition)
5. (a) Computer Forensics : Investigating Wireless Networks and Devices, EC-Council, ISBN-13: 978-1-4354-8353-8, ISBN-10: 1-4354-8353-7 (latest edition) and (b) Digital Forensics for Handheld Devices, E. P .Doherty (Ed.), CRC Press, 2013
6. Handbook of Digital Forensics and Investigations, Eoghan Casey ed., Elsevier Academic Press ISBN 13: 978-0-12-374267-4 (latest edition)
7. Digital Forensics with Open Source Tools, C. Altheide et al, Syngress/Elsevier, 2011
Recommended Articles
A. Adversarial Network Forensics in Software Defined Networking, S. Achleitner et al, SOSR’17, ACM, Santa Clara, CA, USA, 2017
B. Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges, IEEE Network, Vol.30 Issue 6, Nov.-Dec. 2016
C. Cloud computing: The digital forensics challenge, Meyer, G., & Stander, Proc. of Informing Science & IT Education Conference (InSITE), 2015
D. Threat Analysis for the SDN Architecture, Version 1.0, ONF TR-530, 2016
E. The Journal of Digital Forensics, Security and Law (JDFSL), Please see the Latest Articles (http://commons.erau.edu/jdfsl/) and the “Most Popular Papers,” 2017
Laptop Requirements Before you start configuring your laptop for the course assignments and/or experiments, please backup all of your files and system configuration data/information. You will need a System (e.g., 64 bit Windows) with multi-core CPU (~ 3.0 GHz), >8 GB RAM, and >50 GB of free disk space. You can download VirtualBox from the Website: https://www.virtualbox.org/wiki/Downloads . Courseware This course uses Online Campus (Blackboard). Once the course starts all students must use the Online Campus Dashboard internal messages service. Students are required to use On-line campus:
for reading and submitting assignments
Submitting lab exercises and Taking on-line exams and quizzes
Participating in discussion threads
All course related email correspondence
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 3 of 12
Class Policies
1) Attendance & Absences
Students are required to attend the four scheduled on-campus lectures (9/9, 10/7, 11/11, 12/9) and the final exam on 12/16.
Students must notify the instructor in advance if unable to attend any on-campus lecture
2) Classroom Etiquette
Please arrive before the lecture begins (class start time). Turn off your cell phone and leave it on the desk in front of the Professor with a sticky note on which your name and ID are written
Please leave one chair space between you and the person sitting next to you. During the lecture, DO NOT talk to anyone else except to the Professor if you have a question or need some clarification on the topics that are being discussed
If the Professor asks you a question, answer it to the best of your knowledge looking at the Professor, and without looking at or talking to anyone else
Always put your name tag/badge in front of you on the desk so that it is clearly visible by the Professor
3) Assignment, Lab Exercise and Discussion Completion & Late Work
Homework assignments are mandatory, must be completed and submitted in a timely manner, and are required to be submitted via Online Campus for this course. For each day after the submission date a homework assignment is due will result in a penalty of 3 points. Homework assignments passed in that are over 5 days late will receive a grade of zero (0). If a student will be unable to submit an assignment by its due date, the student must contact the instructor in advance to avoid the late submission penalty.
Lab exercises: are mandatory, must be completed and submitted in a timely manner, and are required to be submitted via Online Campus for this course. For each day after the submission date a lab exercise is due will result in a penalty of 3 points. Lab exercises passed in that are over 5 days late will receive a grade of zero (0). If a student will be unable to submit a Lab exercise by its due date, the student must contact the instructor in advance to avoid the late submission penalty.
Student postings to discussion topic after the listed closing dates will not be counted when calculating a student’s discussion grades.
4) Academic Conduct Code – Cheating and plagiarism will not be tolerated in any Metropolitan College course. Such activities/behavior will result in no credit for the assignment or examination and may lead to disciplinary actions. Please take the time to review the Student Academic Conduct Code:
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 4 of 12
http://www.bu.edu/met/metropolitan_college_people/student/resources/conduct/code.html.
Such activities/behavior includes copying (even with modifications) of another student’s work or letting your work to be copied. Your participation in interactions with the instructor and your classmates is encouraged, but the work you submit must be your own. Collaboration is not permitted.
Grading Criteria Students will have to do homework assignments to help you master the material. You will also have to read the textbooks and to be ready to discuss the issues related to the current class topics. Grades will be based on:
homework assignments ( 30%)
lab exercises and/or project ( 30%)
in-class and discussion thread participation (10%)
proctored final exam (30%)
Grade ranges are as follows:
A’s: {90-93 is an A-, and 94+ is an A}
B’s: {80-83 is a B-, 84-86 is a B, and 87-89 is a B+}
C’s: {71-73 is a C-, 74-76 is a C, and 77-79 is a C+}
F: 60 to 70 Class Meetings, Lectures, Assignments, Lab Exercises & Examinations The course will include four (4) class sessions held at the Boston University campus. The class session will include lectures, laboratory exercises, and an interactive exchange of course related concepts and materials. These sessions also provide students with the opportunity to interact with other students and the course instructor. The proposed class session dates are listed below (subject to change based on course and instruction requirements):
On-campus class
session
Topics
Covered
Will occur in Fuller Bldg. (808 Commonwealth Avenue,
Boston, MA) Rm. No. 109 on
Session 1 Module 1 September 9, 2017 between 1 PM and 4 PM ET
Session 2 Module 3 October 7, 2017 between 1 PM and 4 PM ET
(may include a guest lecture)
Session 3 Module 5 November 11, 2017 between 1 PM and 4 PM ET
(may include a guest lecture)
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 5 of 12
Session 4 Module 7 December 9, 2017 between 1 PM and 4 PM ET (may
change to 6-9 PM ET)
Final Exam December 16, 2017 between 1 PM and 4 PM ET
Students are expected to read the documents listed in the Study Guide prior to each face-to-face session. These documents can be downloaded from the Blackboard Discussion ‘From your Instructor’ area. We will be discussion each document that is assigned to a session.
Failure to read these documents prior to each session will affect your Discussion grades.
Project Selection Guideline
Review the Network Forensics related Briefings, Arsenal, Features, Events, etc. of recent
BlackHat (https://www.blackhat.com) and Digital Forensics Conference
(https://www.osdfcon.org/), and the articles in JDFSL (http://commons.erau.edu/jdfsl/).
Determine your single area of focus, e.g., Tools, Evidence Acquisition, Evidence Analysis,
Strategy, Remote Access, etc.
Review the project in your focus area in Open Source space (e.g.,
https://github.com/cugu/awesome-forensics).
Finalize only one project which is of most interest to you and you can excel in contributing to
the development, testing and finalizing. Good Luck!
On-line Live sessions There will be a number of one hour on-line sessions, in addition to on-campus meetings identified above, which will be held at 7 PM ET on the following Wednesdays: Sept.(20), Oct.(04 and 18), Nov.(01, 15, and 29), and Dec.(13). Assignment/Homework/Exercise/Project Submission Guideline PLEASE submit the completed tasks in MS Word or PPT file(s) via email before the due date. File names for the documents must be as follows:
<student’s first name>-CS703-Abcd<number>-ddMnt2017.doc An example of the document file name for assignment no. 3 submitted by the Instructor on the 15th of August is as follows:
Bhumip-CS703-Asgn3-15Aug2017.doc Note: Abcd=Asgn for Assignment submission, Abcd=Hwrk for Assignment submission, Abcd=Labs for Lab/Exercise submission, and Abcd=Proj for Project submission; dd is the two digit Date of submission, Mnt is the first three letters of the Month of submission. Include the file name in the header and a page number in the footer of your assignment submission document. Quoted materials and citations must follow the Modern Language
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 6 of 12
Association (MLA, https://style.mla.org/) format with a reference section at the end of a student’s submitted work. Then, print the first page of your email on one side of a paper, and the first page of your assignment submission file on the other side of the same paper. Finally, bring that paper for submission before the lecture immediately following the submission date.
Class Meetings, Lectures & Assignments
Date/ Module
Topic Readings Guide/Due Assignments Due
/1 9 Sept.
Network Forensics Basics
Fundamentals
Strategies
Evidence Gathering
Ch.1-2 of Rec. Book 1 Ch.1-3 of Rec. Book 3 Ch.1-2 of Rec. Book 4 Ch.1-2 of Rec. Book 6
Assignment-1 & Discussion-1 are Due by 9/19
/2 20 Sept. 04 Oct.
Types of Attacks
Web/Host Attacks
Routers/Switches/.. Attacks
Device-based Attacks
Ch.5-6 of Rec. Book 1 Ch.1-6 of Rec. Book 2 Ch.4-7 of Rec. Book 3 Ch.3-5 of Rec. Book 4
Discussion-2 due by 10/3
/3
7 Oct.
Network Forensics Tools
Wired/Wireless Access
Internet
Software-Defined Nets
Ch.3, 4 & 9 of Rec. Book 1 Ch.9 & 10 of Rec. Book 3 Ch.1 of Rec. Books 5(a) Rec. Articles [A-D]
Assignment-2 & Project Outline Due today (10/7)
/4
18 Oct.
01 Nov.
Correlation/Analyses of Logs/Events/Traces and Investigations
Denial of Service
Internet Crimes
Email-based Crimes
Wireless Attacks
Ch.4, 10 & 11 of Rec. Book 1 Ch.8 of Rec. Book 3 Ch.5-7 of Rec. Book 4 Ch.4, 9 & 10 of Rec. Book 6
Discussion-3 due by 10/17 Project Update Due by 10/31
/5
11 Nov.
IoT and Device-based Attacks/ Forensics
Tagged and Simple Sensors
Hand-held Device
Ch.2-4 of Rec. Books 5(a) Ch.1-4 of Rec. Books 5(b) Article 3 on Android Forensics from Vol.10, No.4 of JDFSL
Assignment-3 & Project Update Due today (11/11)
/6
Typical Industrial, and Social Crimes
Corporate Espionage
Trademark and Copyright
Ch.11 & 12 of Rec. Book 3 Ch.8-11 of Rec. Book 4 Ch.6, 7 & 9 of Rec. Book 2
Discussion-4 due by 11/14 Project
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 7 of 12
15 Nov.
29 Nov.
violations
Other Social Crimes
Update Due by 11/28
/7 9 Dec.
Incident Prevention and Impact Mitigation Techniques
Proactive Steps
Analytics-based Predictive Steps
Ch.7&8 of Rec. Book 1 Ch.8 of Rec. Book 2 Ch.7 of Rec. Book 3 Rec. Article [D-E]
Assignment-4 & Project update Due today (12/09)
/8 13 Dec.
Advanced Net Forensics Topics
Deep-Stats and Big-Data- Analytics-based Forensics
Intelligent Forensics
Open Source Tools
Ch.9 of Rec. Book 1 Ch.1, 2 & 9 of Rec. Book 7 Rec. Articles [A-E]
Final Slides for Project Due by 12/12
/9 16 Dec.
Final Exam
Final Project Presentation & Uploading of Video
Preparatory Study Materials: [1] On-campus Face-to-Face Session#1
Date 9/9 between 1 PM and 4 PM hours ET
Note Preparatory Reading (To be read prior to attending session#1)
Association of Computing Machinery (1992) ACM code of ethics and professional conduct.
Communications of the ACM, 35(5), pp. 94-99
Anderson, R.E., Johnson, D.G., Gotterbarn, D., & Perrolle, J. (1993) Using the New ACM Code
of Ethics in Decision Making. Communications of the ACM, 36(2), pp. 98-107
Hofstede, R., Celeda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., & Pras, A., (2014).
Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and
IPFIX. IEEE Communications Surveys & Tutorials, 16(4), pp.2037-2064. doi:
10.1109/COMST.2014.2321898
McRee, R. (2013, August) C3CM: Part 1 – Nfsight with Nfdump and Nfsen. ISSA Journal, pp.
29-32
Nehinbe, J. O. (2010) Log Analyzer for Network Forensics and Incident Reporting. Intelligent
Systems, Modelling and Simulation, International Conference on, pp. 356-361
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 8 of 12
Reith, M., Carr, C., & Gunsch, G. (2002) An Examination of Digital Forensic Models.
International Journal of Digital Evidence, 1(3), pp. 1-12
Willson, D. (2013, August) Legal Issues of Cloud Forensics. ISSA Journal, pp. 25-28
[2] On-campus Face-to-Face Session#2
Date 10/7 between 1 PM and 4 PM hours ET
Note Preparatory Reading (To be read prior to attending session#2)
Divyesh, G.D.D & Nagoor, M.A.R. (2014). Forensic Evidence Collection by Reconstruction of
Artifacts in Portable Web Browser. International Journal of Computer Applications, 91(4),
pp. 32-35
Dormann, W. & Rafail, J. (2011) Securing your web browser. CERT, Software Engineering
Institute Carnegie Mellon University, pp. 1-18
Dukes, L., Yuan, X., & Akowuah, F. (2013, April). A case study on web application security
testing with tools and manual testing. In Southeastcon, 2013 Proceedings of IEEE, pp. 1-6
Marco Tabini (2011) Learn the basics of Web browser security. MacWorld.com, pp. 1-2
Martellaro, J. (2011) The State of Browser Security. The Mac Observer, pp. 1-3
Mylonas, A., Tsalis, N., & Gritzalis, D. (2013). Evaluating the manageability of web browsers
controls. In Security and Trust Management, pp. 82-98
Webdevout (2011) Web Browser Security Summary. pp. 1-8
Gugelmann, D., Gasser, F., Ager, B., & Lenders, V. (2015). Hviz: HTTP (S) traffic aggregation
and visualization for network forensics. Digital Investigation, 12, S1-S11
[3] On-campus Face-to-Face Session#3
Date 11/11 between 1 PM and 4 PM hours ET
Note Preparatory Reading (To be read prior to attending session#3)
Palomo, E. J., North, J., Elizondo, D., Luque, R. M., & Watson, T. (2012). Application of
growing hierarchical SOM for visualisation of network forensics traffic data. Neural
Networks, 32, 275-284
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 9 of 12
Al-Mahrouqi, A., Abdalla, S., & Kechadi, T. (2014, October). Network Forensics Readiness
and Security Awareness Framework. In International Conference on Embedded Systems
in Telecommunications and Instrumentation (ICESTI 2014), Algeria, October 27-29 2014
Bates, A., Butler, K., Haeberlen, A., Sherr, M., & Zhou, W. (2014, February). Let SDN be your
eyes: Secure forensics in data center networks. In Proceedings of the NDSS Workshop on
Security of Emerging Network Technologies (SENT’14)
Paglierani, J., Mabey, M., & Ahn, G. J. (2013, October). Towards comprehensive and
collaborative forensics on email evidence. In Collaborative Computing: Networking,
Applications and Worksharing, 9th International Conference Conference on, 11-20
Guo, H., Jin, B., & Qian, W. (2013, April). Analysis of Email Header for Forensics Purpose. In
Communication Systems and Network Technologies (CSNT), 2013 International
Conference on, 340-344
Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics definitions and critical
criteria for cloud forensic capability: An overview of survey results. Digital Investigation,
10(1), 34-43
Shah, J. J., & Malik, L. G. (2013, December). Cloud Forensics: Issues and Challenges. In
Emerging Trends in Engineering and Technology (ICETET), 6th International Conference
on,138-139. IEEE
Shah, J. J., & Malik, L. G. (2014, February). An approach towards digital forensic framework
for cloud. In Advance Computing Conference (IACC), 2014 IEEE International, 798-801.
IEEE
Bhatt, P., Toshiro Yano, E., & Gustavsson, P. M. (2014, April). Towards a Framework to
Detect Multi-stage Advanced Persistent Threats Attacks. In Service Oriented System
Engineering (SOSE), 8th International Symposium on, 390-395. IEEE
De Vries, J., Hoogstraaten, H., van den Berg, J., & Daskapan, S. (2012, December). Systems
for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent
Data Analysis. In Cyber Security (CyberSecurity), International Conference on, 54-61. IEEE
Virvilis, N., Gritzalis, D., & Apostolopoulos, T. (2013, December). Trusted Computing vs.
Advanced Persistent Threats: Can a defender win this game?. In Ubiquitous Intelligence
and Computing, 10th International Conference on and 10th International Conference on
Autonomic and Trusted Computing, 396-403. IEEE
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 10 of 12
[4] On-campus Face-to-Face Session#4
Date 12/9 between 1 PM and 4 PM hours ET (may change to 6-9 PM ET)
Note Preparatory Reading (To be read prior to attending session#4)
Rani, D. R., & Geethakumari, G. (2015, January). An efficient approach to forensic
investigation in cloud using VM snapshots. In Pervasive Computing (ICPC), 2015
International Conference on (pp. 1-5). IEEE
Morioka, E., & Sharbaf, M. S. (2015, April). Cloud Computing: Digital Forensic Solutions. In
Information Technology-New Generations (ITNG), 2015 12th International Conference
on (pp. 589-594). IEEE
Kadivar, M. (2014). Cyber-Attack Attributes. Technology Innovation Management Review,
4(11)
Maheux, B. (2014). Assessing the Intentions and Timing of Malware. Technology Innovation
Management Review, 4(11)
Paverd, A., Martin, A., & Brown, I. (2014). Security and Privacy in Smart Grid Demand
Response Systems. In Smart Grid Security (pp. 1-15). Springer International Publishing
Kumar, V., Oikonomou, G., Tryfonas, T., Page, D., & Phillips, I. (2014). Digital investigations
for IPv6-based Wireless Sensor Networks. Digital Investigation, 11, S66-S75
Chen, S., Zeng, K., & Mohapatra, P. (2014). Efficient data capturing for network forensics in
cognitive radio networks. Networking, IEEE/ACM Transactions on, 22(6), 1988-2000
[5] On-campus Face-to-Face Session#5
Date 12/16 between 1 PM and 4 PM hours ET
Note Final Exam., and Final Presentation of Project
Final version of Project Slides Due, and Video Upload
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 11 of 12
Additional Resources
Open Source PCAP and Other Files/Videos
There are many open source PCAP files, as can be found by searching (e,g., at
https://duckduckgo.com/) with “PCAP files for forensic experiments.” Here is a preliminary list
of URLs and video clips that you may find useful.
PCAP files at Sourceforge.net: https://sourceforge.net/directory/os:windows/?q=pcap
Publicly available PCAP files: https://www.netresec.com/?page=PcapFiles
Evidence files for practicing examination in your laptop: https://lmgsecurity.com/nf
Files for Malware traffic analysis exercises: http://www.malware-traffic-analysis.net/training-exercises.html
PCAP Wiki site: https://en.wikipedia.org/wiki/Pcap
Files from Computer Forensics Education Research: https://digitalcorpora.org/
Installing BitCurator as a VM using VirtualBox: https://www.youtube.com/watch?v=ttfLavXwpj8
BitCurator: Using Bulk Extractor to Locate Potentially Sensitive Information: https://www.youtube.com/watch?v=mWMzwo4kWDc
Intercept Personally Identifiable Information (PII) with NSi Autostore's Data Filter: https://www.youtube.com/watch?v=-T8Ufxb_5Qs
A Sample of Network Forensics Tools
TCPdump: http://www.tcpdump.org/
Wireshark/EtherReal: https://www.wireshark.org/
NetFlow: https://en.wikipedia.org/wiki/NetFlow
sFlow: https://en.wikipedia.org/wiki/SFlow
IP Flow Information Export (IPFIX): https://en.wikipedia.org/wiki/IP_Flow_Information_Export
Network Forensics Tools: http://www.forensicswiki.org/wiki/Tools:Network_Forensics
DNS Tools: http://www.dnsstuff.com/
DHCP Server Audit Tools: https://www.manageengine.com/
Security Tools for IPv6: https://github.com/toperaproject/topera#topera-project-page
Boston University Metropolitan College
CS703_EL_Fall-2017 [email protected] Page 12 of 12
Digital Forensics Tools: http://www.digitalforensicsassociation.org/opensource-tools/
Popular Forensics Tools: http://resources.infosecinstitute.com/computer-forensics-tools/
Forensic Investigations-Tools/Hacks: https://www.youtube.com/watch?v=68f-VAV89QQ
Digital Forensics Tool Testing: http://dftt.sourceforge.net/
Student Conduct Responsibilities
Notice of Criminal, Civil, and Administrative Responsibility
The legal and authorized use of the materials, software, applications, processes, techniques or services described in this course, presented in written or verbal form, are the sole responsibility and liability of the individual student. The course instructor and Boston University assume no liability as for any damages resulting from unauthorized use of the knowledge gained by student(s) from material covered in this course.
The content and use of the course materials, software, applications, processes, techniques or
services described in presentation materials or conveyed verbally by the course instructor may
be limited or restricted by federal, state or local criminal and/or civil laws or the acceptable use
in corporations, businesses or organizations.
It is the responsibility of the student to ensure that they do not perform any action, process or
technique that could violate any criminal, civil or administrative laws, regulations and/or
policies.
There shall be no liability on the part of the course instructor for any loss or damage, direct or
consequential arising from the use of this information or any action by student(s) that is
determined to be in violation of any federal, state and/or local civil or criminal law, or for
violation of any administrative regulation, policy or acceptable use policy that results in
prosecution, or any loss, to include termination of employment, forfeiture, restitution or fines.
Student enrollment in this course will constitute an agreement to the aforementioned terms
and conditions of student responsibilities and liabilities.