Graduate School and Research Center in Digital Sciences

Cyber-crime and Computer Forensics

T Technical Teaching



The course is roughly divided in two separate parts. The first covers the   topics of computer forensics and incident response. In particular, we   discuss a number of techniques and open source tools to acquire and   analyze network traces, hard disk images, Windows and Linux operating   system artifacts, log files, and memory images.

The second part of the course deals with the analysis of malware and   unknown binaries. Here the goal is to introduce students to the main  classes of techniques used in malware analysis and reverse engineering.   We cover both static techniques (ELF and PE file structures,   dissasseblers and decompilers, data and control flow analysis, abstract   interpretation, ...) and dynamic techniques (sandboxing, library and   syscall traces, dynamic instrumentation, debugging, taint analysis,   unpacking,...). We will use mostly open source tools, with the exception of IDA Pro.

Teaching and Learning Methods :  Lectures and Homework Assignment


  All material will be provided during the course.

   The following books can provide additional material on the topics covered

   in class:

   - Malware Analysis Cookbook

   - Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

   - The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac memory

   - Reversing: Secrets of Reverse Engineering

   - The IDA Pro Book

   - Digital Forensics with Open Source Tools




 Part I:

   * Introduction to digital forensics

   * Network traffic analysis

   * Disk and filesystem analysis

   * OS and software artifacts

   * Memory forensics

  Part II:

   * Malware analysis

   * Extracting information from ELF and PE files

   * Disassembling and decompiling (IDA Pro and radare2)

   * Tracing and Debugging

   * Unpacking

   * Malware analysis Sandboxes

   * The role of automation: malware analysis pipeline

Learning outcomes:

   Students will learn how to analyze a compromised system and how to extract evidence and collect events from a computer systems.  Students will also learn about malicious software, how it is developed, which tricks it employs, and how to analyze it in a lab environment.

Nb hours: 42.00

Grading Policy: Homework (40%), Final Exam (60%)


Nb hours: 42.00
Nb hours per week: 3.00