CIS 4385
Syllabus, lectures, and other materials — Spring 2011

Spring 2011: Syllabus for CIS-4385

Final Paper Requirements


Assigned 2011-01-04:

Assigned 2011-01-25: MF, pp. 93-120.

Assigned 2011-01-27: Assignment 0, due Tuesday February 1st.

Assigned 2011-02-03: Assignment 1, due Thursday, February 10th.

Assigned 2011-02-15: Assignment 2, due Tuesday February 17th.

Assigned 2011-03-03: Assignment 3, due Thursday March 17th.

Class Notes


Windows Forensics Introduction

Unix/Linux Forensics Introduction

Memory Analysis, Part 1

Memory Analysis, Part 2

Malware Post-Mortem

Windows Registry

File Analysis: file identification and profiling

File Analysis: file identification and profiling in the Linux environment

Issues in Live Analysis in Windows and Linux

Rootkits and what not


FAT filesystem in detail

NTFS filesystem in detail

Other Material

2008-08-11: Plastic Keys to Physical Locks: Researchers Crack Medeco High-Security Locks With Plastic Keys

2008-08-22: An Email about an intrusion at Redhat's Fedora: Infrastructure report, 2008-08-22 UTC 1200

2009-02-10: Data breach at FAA: FAA reports 45,000 data records pilfered from server

2009-04-01: Spam Back to 94% of All E-Mail

* 2009-05-15: Backup woes at Avsim: Hackers 'destroy' flight sim site

* 2009-07-23: Adobe Flash woes: New attacks exploit vuln in (fully-patched) Adobe Flash

* 2009-10-16: Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack

2009-10-22: FBI and SOCA plot cybercrime smackdown: White hats get proactive on e-crime

* 2010-01-20: Fearing Hackers Who Leave No Trace

2010-01-20: More Researchers Going On The Offensive To Kill Botnets

2010-02-04: Identifying almost identical files using context triggered piecewise hashing

2010-02-04: Using Every Part of the Buffalo in Windows Memory Analysis

2010-02-04: Using Hashing to Improve Volatile Memory Forensic Analysis

* 2010-02-05: Hacking for Fun and Profit in China’s Underworld

* 2010-02-05: US oil industry hit by cyberattacks: Was China involved?

2010-02-06: FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory.

* 2010-02-19: Modern banker malware undermines two-factor authentication

* 2010-02-19: Broad New Hacking Attack Detected.

* 2010-02-19: The Kneber botnet - FAQ.

2010-02-19: The creation of a rogue CA certificate via an MD5 collision story: MD5 considered harmful today: Creating a rogue CA certificate.

2010-02-19: Why the Windows Registry sucks... technically

* 2010-02-23: Keyloggers: Churchill High grade scheme may involve half-dozen students; apparently, from other stories on this incident, the students may have picked this up from Youtube, which hosted videos on install keyloggers, including ones showing how to create trojans to install keyloggers (search Youtube for "Ardamax", for instance.)

* 2010-03-08: A classic: No Stone Unturned

* 2010-03-16: What we know (and learned) from the Waledac takedown

2010-04-01: Another classic on the Linux ELF format: A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux.

2010-04-08: Older work on analyzing a binary

* 2011-01-04: Original Supreme Court materials on the Frye and Daubert standards.

2011-01-11: Security status of various hashes

2011-01-18: More odd stuff in the Windows registry: Stay Classy, Microsoft

2011-01-18: Electronic warfare: targeted malware: Israeli Test on Worm Called Crucial in Iran Nuclear Delay

2011-01-25: More printer vulnerabilities: Giving Hackers a Printed Invitation

2011-01-25: Improvements in Windows logging in 2008R2 and some versions of Windows 7:

2011-01-25: USB device claims that it is a keyboard, issues commands: Researchers turn USB cable into attack tool

2011-02-01: DDos arrests: Police arrest five men over Wikileaks-related 'Anonymous' denial of service attacks

2011-02-01: Infected PC Compromises Pentagon Credit Union

2011-02-01: Thumb Drive Attack in 2008 Compromised Classified U.S. Networks

2011-02-16: Foreign hackers attack Canadian government

2011-02-22: Man pockets $8m running computer fraud ring: Zombies dialed premium phone numbers

2011-02-24: New Financial Trojan Keeps Online Banking Sessions Open after Users 'Logout'

2011-02-24: A Good Decade for Cybercrime

2011-03-03: A Look Inside the Bustling Cybercrime Marketplace

2011-03-03: Anonymous speaks: the inside story of the HBGary hack

2011-03-03: Black ops: how HBGary wrote backdoors for the government

2011-03-29: New cybervirus found in Japan / Stuxnet designed to attack off-line servers via USB memory sticks

2011-04-08: Data Recovery in Linux (with TestDisk)

Suggested Mailing Lists

I also highly recommend reading comp.risks (you can read it in rdf format at, or via email — instructions are at or adding its RSS feed at to your feed browser.