CS 665 Forensic Analysis
Forensics involves the identification, preservation, and analysis of evidence of attacks in order to identify attackers and document their activity with sufficient reliability to justify appropriate technological, business, and legal responses. This course focuses on the technological and not on the legal components of the topic. The technical aspects will focus on analyzing both network and host data. This includes review of network traffic logs (pcap, flow records) and profiles and their types, identification of attack signatures and fingerprints, study of various traceback methods, application of data mining techniques, and the extraction of information (e.g., from malware, including botnet traffic) acquired through the use of network analysis tools and techniques, recovering evidence left behind, and technologies that can be used to assist in the analysis of obtained data or in obtaining more data. We will look into methodologies for recovering data from persistent storage and memory. Investigate the use of virtual machines in providing auditing capabilities to analysts and in setting traps for attackers. The class will not only cover the subjects in theory but instead also provide the students with an extensive hands-on experience. The class will involve a fair amount of programming.