The course is roughly divided into two separate parts. The first covers the topics of computer forensics and incident response. In particular, we discuss several techniques an open-source tools to acquire and analyze network traces, hard disk images, Windows and Linux operating system artefacts, log files, and memory images.
The second part of the course deals with the analysis of malware and unknown binaries. Here the goal is to introduce students to the main classes of techniques used in malware analysis and reverse engineering. We cover both static techniques (ELF and PE file structures, disassemblers and decompilers, data and control flow analysis, abstract interpretation, ...) and dynamic techniques (sandboxing, library and syscall traces, dynamic instrumentation, debugging, taint analysis, unpacking...). We will use mostly open-source tools, with except for Pro.
Teaching and Learning Methods: Lectures and Homework Assignment.
Course Policies: Homework must be submitted by the specified deadline.
All materials will be provided during the course.
The following books may provide additional material on the topics covered in class:
- Book: LIGH M., ADAIR S., HARTSTEIN B., RICHARD M. Malware Analysis Cookbook. Wiley, 2010, 752p.
- Book: SIKORSKI M., HONIG A. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, 2012, 800p.
- Book: LIGH M., CASE Andrew, LEVY J., WALTERS A. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac memory. John Wiley & Sons, 2014, 912p.
- Book: EILAM E. Reversing: Secrets of Reverse Engineering. Wiley, 2005, 624p.
- Book: EAGLE C. The IDA Pro Book. No Starch Press, 2011, 672 p.
- Book: ALTHEIDE C., CARVEY H. Digital Forensics with Open Source Tools. Syngress, 2011, 288p.
None.
Part I:
- Introduction to digital forensics
- Network traffic analysis
- Disk and filesystem analysis
- OS and software artifacts
- Memory forensics
Part II:
- Malware analysis
- Extracting information from ELF and PE files
- Disassembling and decompiling (IDA Pro and radare2)
- Tracing and Debugging
- Unpacking
- Malware analysis Sandboxes
- The role of automation: malware analysis pipeline
Learning outcomes:
- Students will learn how to analyze a compromised system and how to extract evidence and collect events from a computer system.
- Students will also learn about malicious software, how it is developed, which tricks it employs, and how to analyze it in a lab environment.
Nb hours: 42.00
Evaluation:
- Homework (40 % of the final grade)
- Final Exam (60 % of the final grade)