Syllabus

#CS 407 - CF III: Memory Forensics

###Syllabus & Instructions for survival

###Southern Oregon University

###Spring 2015

###Instructors: Lynn Ackler & Topher Timzen

###Class Times: 3:30 - 5:20 Monday and Wednesday

###Office:
CSC 222 & CS115

###Office Hours:
Ackler: By appointment && Usually around.

Timzen: Always in CS115.

###Phone: 552-6974

###E-mail: [email protected], [email protected]

###Texts: Recommended The Art of Memory Forensics, Michael Hale Ligh, Andrew Case, Jamie Levy. Windows Internals 6th Edition Volume 1 & 2, David Solomon and Mark Russinovich

###Course Material:

http://webpages.sou.edu/~ackler 

http://tophertimzen.com/cs407

###Prerequisites: Upper division standing in Computer Science, knowledge of command line

###Required: Laptop & Skillz

###Objectives:

  1. Gain a working knowledge of computer forensics and forensic investigations
  2. Be able to test, calibrate and verify all of the tools used
  3. Understand the internals of the Windows Kernel as it pertains to Malware
  4. Ability to parse through user and kernel structures to find malicious code
  5. Gain an understanding of Malware Analysis
  6. Time line events through a raw memory dump

###Working Rules:

  • Attendance: Attendance is not required. However to learn something outside of class takes about 10 times the effort as in class. Anything presented in class is your sole responsibility to know. If you miss a class, it is your responsibility to obtain the material presented, either on your own or from me.

  • Incomplete: In general an incomplete will not be given. If 75% of the course-work has been successfully completed, an incomplete grade may be given for special cases.

  • Assignments:
    • There will be approximately 7 lab assignments.
    • Labs will be due approximately one week after assign date.
  • Grading:
    • Lab assignments are worth 100% of the grade.
    • All written labs will be submitted via e-mail. Printed assignments not accepted.
    • Late lab assignments will be reduced by 10% each day they are late.

##Tentative Schedule: Memory Forensics

###Week 1: Introduction to Memory and Acquisition

  • Translating Virtual Addresses to Physical Addresses
  • Acquisition of live memory

###Week 2: Windows Objects, Pools, Processes, Handles & Tokens

  • Windows Executive
  • Object Headers
  • Pool-tag scanning
  • _EPROCESS
  • Critical Processes

###Week 3-4: Process Memory Internals & Malware

  • Dynamically Linked Libraries
  • Process Environment Block
  • Malware techniques and memory remnants

###Week 5-6: Event Logs, Networking and Registry

  • Recovery of the above in memory

###Week 7: Rootkits

  • Rootkit techniques

###Week 8: Windows GUI

  • Recovering GUI information from memory

###Week 9: Disk Artifacts in Memory

###Week 10: Time Lining / EOF

  • Event Reconstruction

###Schedule Note: As time pertains, more will be added on Malware and Malware Analysis techniques to expose students to concepts and practices.

###Additional If you are in need of support because of a documented disability (whether it be learning, mobility, psychiatric, health-related, or sensory) you may be eligible for academic or other accommodations through Disability Services for Students. Contact Shawn Foster, Director, DSS, at [email protected]; or by calling 541-552-6213; or schedule an appointment in person at the ACCESS Center, Stevenson Union, Room 134. For Detailed Information: www.SOU.edu/Access/Dss