CYBERCRIME DETECTION
AND FORENSICS
CIS 4385
Syllabus, lectures, and other materials — Summer 2014

Summer 2014: Syllabus for CIS-4385

Final Paper is Due on Tuesday, July 22

Bibliography for final paper is Due on Tuesday, June 3 Thursday, June 5 — please submit this on Blackboard before class on June 3 June 5

Final Paper Requirements

Class Notes

Introduction

Technical Introduction to Windows

Technical Introduction to Unix/Linux

Memory Analysis

Memory Analysis, Part 2

Malware Post-Mortem

The Windows Registry

File Analysis

File Identification and profiling in the Linux environment

Live Analysis in Windows and Linux

Rootkits

Filesystems

The FAT Filesystem

The NTFS Filesystem

The EXT2/3 Filesystems

Assignment 0

Assignment 0

Assignment 1

Assignment 2

Assignment 3

Assignment 4

Assignment 5

Other Material

ntpasswd home page

RegRipper website

Offensive Computing website

2008-08-11: Plastic Keys to Physical Locks: Researchers Crack Medeco High-Security Locks With Plastic Keys

2008-08-22: An Email about an intrusion at Redhat's Fedora: Infrastructure report, 2008-08-22 UTC 1200

2009-02-10: Data breach at FAA: FAA reports 45,000 data records pilfered from server

2009-04-01: Spam Back to 94% of All E-Mail

* 2009-05-15: Backup woes at Avsim: Hackers 'destroy' flight sim site

* 2009-07-23: Adobe Flash woes: New attacks exploit vuln in (fully-patched) Adobe Flash

* 2009-10-16: Big-Box Breach: The Inside Story of Wal-Mart's Hacker Attack

2009-10-22: FBI and SOCA plot cybercrime smackdown: White hats get proactive on e-crime

* 2010-01-20: Fearing Hackers Who Leave No Trace

2010-01-20: More Researchers Going On The Offensive To Kill Botnets

2010-02-04: Identifying almost identical files using context triggered piecewise hashing

2010-02-04: Using Every Part of the Buffalo in Windows Memory Analysis

2010-02-04: Using Hashing to Improve Volatile Memory Forensic Analysis

* 2010-02-05: Hacking for Fun and Profit in China's Underworld

* 2010-02-05: US oil industry hit by cyberattacks: Was China involved?

2010-02-06: FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory.

* 2010-02-19: Modern banker malware undermines two-factor authentication

* 2010-02-19: Broad New Hacking Attack Detected.

* 2010-02-19: The Kneber botnet - FAQ.

2010-02-19: The creation of a rogue CA certificate via an MD5 collision story: MD5 considered harmful today: Creating a rogue CA certificate.

2010-02-19: Why the Windows Registry sucks... technically

* 2010-02-23: Keyloggers: Churchill High grade scheme may involve half-dozen students; apparently, from other stories on this incident, the students may have picked this up from Youtube, which hosted videos on install keyloggers, including ones showing how to create trojans to install keyloggers (search Youtube for "Ardamax", for instance.)

* 2010-03-08: A classic: No Stone Unturned

* 2010-03-16: What we know (and learned) from the Waledac takedown

2010-04-01: Another classic on the Linux ELF format: A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux.

2010-04-08: Older work on analyzing a binary

* 2011-01-04: Original Supreme Court materials on the Frye and Daubert standards.

2011-01-11: Security status of various hashes

2011-01-18: More odd stuff in the Windows registry: Stay Classy, Microsoft

2011-01-18: Electronic warfare: targeted malware: Israeli Test on Worm Called Crucial in Iran Nuclear Delay

2011-01-25: More printer vulnerabilities: Giving Hackers a Printed Invitation

2011-01-25: Improvements in Windows logging in 2008R2 and some versions of Windows 7:

2011-01-25: USB device claims that it is a keyboard, issues commands: Researchers turn USB cable into attack tool

2011-02-01: DDos arrests: Police arrest five men over Wikileaks-related 'Anonymous' denial of service attacks

2011-02-01: Infected PC Compromises Pentagon Credit Union

2011-02-01: Thumb Drive Attack in 2008 Compromised Classified U.S. Networks

2011-02-16: Foreign hackers attack Canadian government

2011-02-22: Man pockets $8m running computer fraud ring: Zombies dialed premium phone numbers

2011-02-24: New Financial Trojan Keeps Online Banking Sessions Open after Users 'Logout'

2011-02-24: A Good Decade for Cybercrime

2011-03-03: A Look Inside the Bustling Cybercrime Marketplace

2011-03-03: Anonymous speaks: the inside story of the HBGary hack

2011-03-03: Black ops: how HBGary wrote backdoors for the government

2011-03-29: New cybervirus found in Japan / Stuxnet designed to attack off-line servers via USB memory sticks

2011-04-08: Data Recovery in Linux (with TestDisk)

2011-06-06: How a cheap graphics card could crack your password in under a second

2011-08-02: Anatomy of a Unix breach

2011-09-12: Rent-a-Bot Networks Tied to TDSS Botnet

2011-11-04: Chaos Computer Club analyzes government malware

2011-11-14: Et tu, Boeing? FACT CHECK: SCADA Systems Are Online Now

2011-11-14: Underground call-centre for identity theft uncovered by security researchers

2011-11-14: The Dark Side Of Biometrics: 9 Million Israelis' Hacked Info Hits The Web

2011-11-14: The Underground Economy of Fake Antivirus Software (PDF)

2011-11-14: The Perfect Scam

2011-11-14: Who killed the fake-antivirus business?

2011-11-14: Russian police take a bite out of online crime

2011-11-28: Japan's continuing cybersecurity problems: Upper House confirms falling victim to cyber-attacks

2011-11-28: Japan's continuing cybersecurity problems: Only 45% of lawmakers changed passwords after cyber-attack

2011-11-30: Carrier IQ saga: Carrier IQ Tries to Silence Security Research Exposing Its Rootkit, gets Pinned Down by the EFF

2011-11-30: Carrier IQ saga: The Rootkit Of All Evil — CIQ

2011-11-30: Carrier IQ saga: Carrier IQ Tries to Censor Research With Baseless Legal Threat

2011-11-30: Carrier IQ saga: Smartphone Invader Tracks Your Every Move

2011-11-30: Carrier IQ saga: CarrierIQ

2011-11-30: Carrier IQ saga: Proof Published that Carrier IQ is Recording Key Presses and Location Data

2011-11-30: Carrier IQ saga: The Storm Is Not Over Yet — Lets Talk About #CIQ

2012-01-03: Carrier IP saga: Some Facts about Carrier IQ

2012-01-05: Govt working on defensive cyberweapon / Virus can trace, disable sources of cyber-attacks

2012-02-15: Ron is Wrong, Whit is Right

2012-03-15: Researchers Seek Help in Solving DuQu Mystery Language

2012-03-29: Organised Crime in the Digital Age Executive Summary

2012-03-29: NSA Chief: China Behind RSA Attacks

2012-04-02: Hunting Malware with Volatility

2012-04-02: CSI: Internet HQ — Series 1

2012-04-02: CSI: Internet HQ — Series 2

2012-04-02: W32.Duqu The precursor to the next Stuxnet

2012-04-19: OpenSSL flaw

2013-01-16: "Red October" Diplomatic Cyber Attacks Investigation

2013-02-18: FROST: Forensic Recovery Of Scrambled Telephones

2013-02-18: U.S. said to be target of massive cyber-espionage campaign

2013-02-20: APT1: Exposing One of China's Cyber Espionage Units

2013-02-25: Code certificate laissez-faire leads to banking Trojans

2013-02-25: Digging Into the Sandbox-Escape Technique of the Recent PDF Exploit

2013-02-27: Bizarre old-school spyware attacks governments, sports Mark of the Beast

2013-02-27: The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor

2013-02-27: Miniduke

2013-03-04: As Hacking Against U.S. Rises, Experts Try to Pin Down Motive

2013-03-04: Where Apps Meet Work, Secret Data Is at Risk

2013-03-06: Malware linked to Chinese hackers aims at Japanese government

2013-03-22: How whitehats stopped the DDoS attack that knocked Spamhaus offline

2013-04-08: How a banner ad for H&R Block appeared on apple.com - without Apple's OK

2013-04-22: Japanese Police Ask ISPS to Start Blocking TOR

2013-05-14: The Case of the 500 Mile Email

2013-07-11: US agency baffled by modern technology, destroys mice to get rid of viruses

2013-07-11: Netragard's Hacker Interface Device (HID).

2013-07-16: Fraudsters trick people into handing over cards on doorstep

2013-08-01: Trusting iPhones plugged into bogus chargers get a dose of malware

2013-08-26: They Know Much More Than You Think

2013-09-10: The NSA Is Breaking Most Encryption on the Internet

2013-09-10: NSA Foils Much Internet Encryption

2013-09-10: The NSA's Secret Campaign to Crack, Undermine Internet Security

2013-09-10: Revealed: how US and UK spy agencies defeat internet privacy and security

2013-09-10: The Factoring Dead: Preparing for the Cryptopocalypse

2013-09-10: How Advanced Is the NSA's Cryptanalysis—And Can We Resist It?

2013-09-10: A Few Thoughts on Cryptographic Engineering

2013-09-10: New Snowden Documents Show NSA Deemed Google Networks a "Target"

2013-09-24: The iPhone 5s Touch ID hack in detail

2013-09-30: Meet the Machines that Steal Your Phone's Data

2013-10-10: A Computer Infection That Can Never Be Cured

2013-10-10: The Next Frontier of Password Cracking

2013-10-17: Analysis of the HTTPS Certificate Ecosystem

2013-10-22: The Privacy Challenges of Big Data: A View from the Lifeguard's Chair

2013-10-22: Experian Sold Consumer Data to ID Theft Service

2013-11-05: Top 100 Adobe passwords

2014-01-09: NSA ANT document in PDF format (rough OCR has been applied)

2014-01-09: The Danger of Rogue System Administrators

2014-01-09: NSA Codenames

2014-01-09: A new Dual EC DRBG flaw

2014-01-23: A First Look at the Target Intrusion, Malware

2014-01-23: Bluetooth Hackers Allegedly Skimmed Millions Via Gas Stations

2014-01-28: Spy Agencies Probe Angry Birds and Other Apps for Personal Data

2014-02-05: 7 Die in Fire Destroying Argentine Bank Archives

2014-05-13: Analyzing Forged SSL Certificates in the Wild

2014-05-15: No Place To Hide Documents

2014-06-09: Bot traffic is up to 61.5% of all website traffic

2014-06-10: Learning from the Enemy: The GUNMAN Project

2014-06-25: Mathematicians Discuss the Snowden Revelations

2014-07-16: GCHQ Catalog of Exploit Tools

2014-07-22: Mayhem

Suggested Mailing Lists

I also highly recommend reading comp.risks (you can read it in rdf format at http://catless.ncl.ac.uk/rdigest.rdf, or via email — instructions are at http://www.csl.sri.com/users/risko/risksinfo.html) or adding its RSS feed at http://catless.ncl.ac.uk/risksatom.xml to your feed browser.