copyright Robert M. Slade, 2002 BRITISH COLUMBIA INSTITUTE OF TECHNOLOGY Operating Unit: School of Computing and Academic Studies Program : B. Tech; Computer Systems Technology Option: Course Outline: COMP #7615 Forensic Programming Start Date: End Date: Course Credits: 3 Term/Level: Total Hours: 45 Total Weeks: 12 Hours/Week: 3.75 Lecture: 2.75 Lab: 1 Shop: Seminar: Other: Prerequisites Course No. Course Name Course No. Course Name Admission to the BTech program or permission of Program Head. Basic knowledge of computer systems, file system structures (particularly FAT), assembly or machine language programming (particularly 80x86) would be helpful background. Course Description Computer forensics is primarily seen in terms of the recovery, and preservation for presentation as evidence, of data from computers that may have been used in the commission of some criminal activity. Occasionally this definition is extended to include analysis of data from network logs. Forensic programming is a little known field. It involves the analysis of program code, generally object or machine language code, in order to make a determination of, or provide evidence for, the intent or authorship of a program. As forensic programming was pioneered in the field of computer viruses, virus analysis will be a part of the course. A major factor in the course will be the presentation of highly technical analysis of program code in such a way that non-technical people (particularly lawyers, judges, and juries) can understand the implications. Lab sessions will be held to demonstrate forensic programming and analysis of code. Students will spend time in the labs doing analysis and disassembly of programs. (Due to internationally agreed ethical standards for virus research, virus code will be provided to students for forensics and antiviral assessment lab work only, and special strictures will be placed on lab sessions to prevent dissemination of virus code from the lab. Laptop computers and removeable media may not be permitted in these lab sessions. The instructor will not provide sample viruses for students to analyze outside of lab sessions, except under very rigorous conditions, and backed up by outside referees. Students are encouraged to bring to class and lab sessions any viruses or malware that they have encountered outside of the class. Students are forbidden to attempt to write viruses as part of the course requirements or assignments. Viruses written or modified by students for fulfillment of any course requirements will NOT be accepted. Evidence that any students have written or modified virus code and distributed it, even to other course members, will result in automatic failure in the course.) Course Goals The objective is to impart the concepts involved in determination of characteristics of or in object code which might provide evidence of identity, cultural background, or intent. To this end, students should learn to identify: - programming cultures - cultural aspects of program design - cultural aspects of coding practice - cultural aspects of interface design - differentiation between cultural and compiler imposed characteristics Evaluation [Given the state of the art in this field, the bulk of the work will be involved with either actual disassemblies in assignments and/or projects. A final exam with essay type questions might be possible.] [Given that this is the first operation of this course, some students may elect to replace some or all of the assignments (excluding the final exam, if given) with project work aimed at gathering resources necessary to running this course using other operating systems, such as Windows 9x kernel, Windows NT kernel, Minix, Linux, or FreeBSD. Proposals for this option must be approved by the instructor.] Final Examination N.A. Midterm Tests N.A. Quizzes N.A. Assignments 30% Projects/Reports 60% Other (Class participation) 10% Passing Mark is 60% Course Learning Outcomes/Competencies On completion of this module, the students will be equipped with the knowledge and techniques to proceed to further exploration, study and practice in examination of program code for evidence of: - signatures of compilers or other automated development tools - signatures of existing programs that have been modified or used as a foundation - signatures of different programming cultures - signatures or other indications of individual programmers and their identities - indications of sequencing of different versions of a program Instructor(s) Robert M. Slade E-mail: rslade@sprint.ca, rslade@vcn.bc.ca, or slade@victoria.tc.ca Note that email is sometimes not as reliable as we might wish, so sending course related materials to multiple addresses is advised, and will not be faulted. Please note that, for security reasons, my preference is for plain text rather than Microsoft Office or other dangerous file format attachments, or HTML formatted email. Learning Resources There is no available text for this course. Some relevant material may be found in: "Computer Forensics and Privacy", Michael A. Caloyannides, 2001, 1-58053-283-7, U$79.00 - ragged, but a good resource for both data recovery and protection "Computer Forensics", Warren G. Kruse II/Jay G. Heiser, 2001, 0-201-70719-5, U$39.99/C$59.95 - concentrates on data recovery and chain of evidence, but not bad in those areas "Computer Virus Handbook", Harold Joseph Highland, 1990, 0-946395-46-2 - good overview, unfortunately somewhat dated, some good explanations of analysis of virus code "Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker, 2001, 0-07-213090-3, U$39.99 - some examples of information extracted from virus code, plus examples of how that material can be used to determine authorship and sequencing "Computer Ethics", Johnson, 1994, 0-13-290339-3 - the basic work in the field, thorough coverage and good discussion starter "Computers, Ethics & Social Values", Johnson/Nissenbaum, 1995, 0-13-103110-4 - a collection of papers which doesn't extend Johnson's earlier work "Hackers: Crime in the Digital Sublime", Paul A. Taylor, 1999, 0-415-18072-4, U$24.99 - best coverage of the phenomenon to date, though still with holes A number of software resources will be needed, such as hex editors, assemblers/disassemblers, etc. A number of resources will be available at http://cstbtech.bcit.ca/FP, however students should, and may be required to, find others. [Additional recommended texts include:] "A Pathology of Computer Viruses", David Ferbrache, 1992, 0-387-19610-2, U$49/UK#24.50 "Dissecting DOS", Podanoffsky, 1995, 0-201-62687-X, U$39.95/C$51.95 - complete assembler source code for a DOS replacement, with reference to the specifics of MS-DOS "Uninterrupted Interrupts", Brown http://www.cerias.purdue.edu/coast/coast-library.html http://www.rosprombank.ru/~ig/docs.html citeseer.nj.nec.com/cache/papers/cs/4165/http:zSzzSzwww.ce. chalmers.sezSz~stefanpzSzSecurityzSzforensics-2. pdf/krsul96authorship.pdf Authorship analysis Kraul/Spafford http://citeseer.nj.nec.com/krsul96authorship.html Authorship Analysis: Identifying The Author of a Program - Krsul, Spafford divcom.otago.ac.nz:800/COM/INFOSCI/SMRL/people/andrew/andrewg.htm Andrew Gray's Software Metrics (Including Authorship Analysis) and Neural Network/Statistical Modelling Page http://www.dfrws.org/ http://tsehp.cjb.net/ Last Fravia's mirror of Reverse code engineering http://www.rosprombank.ru/~ig/docs.html Documentation for disassembler writers http://hometown.aol.com/qsums http://citeseer.nj.nec.com/context/209346/0 http://citeseer.nj.nec.com/520289.html http://www2.informatik.uni-erlangen.de /~phlipp/mypapers/jplag_jucs2001.pdf http://plg.uwaterloo.ca/~migod/746/papers/bern-cloning.pdf http://citeseer.nj.nec.com/cache/papers/cs/197 /ftp:zSzzSzftp.cs.tcd.iez http://citeseer.nj.nec.com/cache/papers/cs/197/ftp:zSzzSzftp.cs.tcd. iezSzpubzSztcdzSztech-reportszSzreports.93zSzTCD-CS-93- 22.pdf/cunningham93using.pdf http://citeseer.nj.nec.com/wise96yap.html http://citeseer.nj.nec.com/paul94framework.html http://www.outreach.utk.edu/ljp/iafl/1997/abstracts/ electronic_resources.htm http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm www.program-transformation.org/twiki/bin/view/Transform/DeCompilation http://linux20368.dn.net/protools/decompilers.htm http://www-2.cs.cmu.edu/afs/cs/user/ralf/pub/WWW/files.html http://www2.dgsys.com/~raymoon/faq/asmfaq.zip ftp://rtfm.mit.edu/pub/usenet-by-hierarchy/news/answers /assembly-language/x86/ http://tsehp.cjb.net/ http://www.x86.org/intel.doc/inteldocs.htm http://www.kluweronline.com/oasis.htm/188945 http://www.acls.org/op37-ii.htm http://www.forensic-evidence.com/site/ID/linquistics.html http://www.ru.ac.za/academic/departments/english/e4e/scr93.htm http://linguistlist.org/issues/5/5-1067.html http://www.qucis.queensu.ca/achallc97/papers/p025.html http://www.badguys.org/papers.htm Some papers on cracker/vandal culture and characteristics http://www.incolor.inetnebr.com/bill_r/computer_simulators.htm simulators of early computers for simple assembly practice http://uk.geocities.com/rob_anderton/ NASM-IDE environment and editor Assignment Details: Extra details will be provided to students, if required, during class sessions. [Note that the details of this course may change depending upon resources available, particularly in terms of disasssembly tools and research materials.] [Note that this version of the course has been written anticipating that the computer viruses and malware course will not be available, and that students will not have been required to take an assembly programming course.] Schedule Week Number Outcome/Material Covered Assignment Due Date 1 20020709 Forensic programming basic concepts course outline and requirements differentiation between traditional computer forensics (data recovery), network forensics, and forensic programming objectives of fp - intention/purpose/function of malware, versions and "families" of malware, cultural or group identity of programmer, specific identity of programmer fp history - virus research ethical aspects of security and fp fp history - intentionality - operations and search strings, malware analysis fp history - identity - BRAIN (plain text), Den Zuk (ham license), Melissa (GUID), Loveletter (web sites) fp in court 2 20020716 The Players - hackers, crackers, phreaks, and other doodz, hackers - black hat vs white, types, justifications, malware, hacker characteristics, social engineering, motivations 3 20020723 0900-1300H objects of analysis - text strings, source code, object (machine) code fp tools - trial runs (bait/goat systems/files), hex editors, sector/disk access (f-pbr, f-boot, DEBUG), disassemblers (DEBUG, Codeview, IDA Pro) initial signatures - file extensions, MZ, 55AA Assignment 1 - tool review and comparison Assembly/machine language programming concepts - CPU structure, operations, registers, memory usage, opcodes, interrupts 4 20020723 1300-1700H Tools/assembly/machine language programming lab 5 20020806 Legal and ethical considerations - Canadian law, "cause to be modified," international law, evidence and proof, ethical standards, "hacker code," disclosure and special considerations for malware, presentation of technical evidence (reference to DNA evidence), ethics paper assignment Assignment 1 due Assignment 3 topic, outline, date due Assignment 2 - ethics of reverse engineering 6 20020813 0900-1300H Computer virus concepts and protections Forensic programming and analysis lab - the undecidability question, tripartite virus structure, assembly and machine code analysis, code and heurisitic indicators (laptop computers and removeable media will not be allowed in this lab) 7 20020813 1300-1700H Programming cultures and cultural indicators - user interfaces and commands (MS Windows/CUA, text editors), program structures (MS Windows vs UNIX), program versions (Ohio/Den Zuk), virus and malware families and variants (Jerusalem/sURIV, Melissa/Papa/credit charge message), compiler signatures 8 20020827 Function indicators - heurisitc signatures (PSQR), operation/port scanning and logs, interrupts, dangerous operations Assignment 2 due 9 20020903 Stylelistic analysis - in literature, plagiarism, source code analysis 10 20020910 fp history and case studies - virus identification and intent, virus families and signatures, virus variants and progression (Ohio/Den Zuk, Jerusalem/sURIV, AIDS trojan) Identification - text in code (BRAIN, Den Zuk), ASCII vs Unicode, communications signatures (Morris, Loveletter), system artifacts (GUID/Melissa), source code (Loveletter), programming style 11 20020917 Final Presentations 12 20020924 Final Presentations & Course Evaluation Course Evaluation - students will be requested to complete evaluation questionnaire of the course. BCIT Forensic Programming (COMP 7615) Instructor: Robert Slade Assignment 1 Tool review and comparison Pick a type of forensic programming tool and choose two or three tools of the same type. (Two hex editors, three sector editors, two in- circuit emulators [ICE], etc.) (Information resources, such as books and Web sites, may be chosen, but students should research the items in question, in advance, to ensure suitability. Choice of information resources as assignment subjects requires approval of the instructor.) Review the tools that you have chosen. Include assessments of availability (including price), ease of use (including installation, help systems, and noting particularly suitability to the task of forensic programming), compatibility (with a range of targets and systems), documentation, and performance (in terms of forensic information obtainable). Provide details of you reviews of the selected tools, as well as a comparison of the various tools in regard to forensic programming. Note that you need not simply make a decision on the "best" of the tools that you have chosen: give a reasonable assessment of the strengths and weaknesses of each. In this assignment, bear in mind that the instructor has been reviewing books and software for a long time. Promotional fluff will *not* be accepted. Submissions may state personal preferences, but should concentrate on suitability to task and user audience, bearing in mind that forensic evidence and procedures may be required to be explained, under adversarial questioning, to a non-specialist judge and jury. Marks: structure and presentation explanation of tools review of tools comparison of tools summary assessment Total / Due in class 5, 20020806 BCIT Forensic Programming (COMP 7615) Instructor: Robert Slade Assignment 2 Ethics of Reverse Engineering Various levels of forensic programming may require reverse engineering, to some extent. This may range from simple "black box" analysis of output and operations, to disassembly, to recreation of high level source code. However, a number of recent laws, such as the proposed UCITA as well as the DCMA in the United States, seek to limit or restrict the legality of reverse engineering. You paper will examine ethical considerations in this debate. You may include references to legal and technical standards in your analysis: you *must* specify an ethical framework. Your paper should address the aspects of free speech, protection of intellectual property, information security requirements, and concerns about the general "chilling" of research and development. Marks: structure and presentation ethical framework legal background analysis complete coverage Total / Due in class 8 20020827 BCIT Forensic Programming (COMP 7615) Instructor: Robert Slade Assignment 3 Forensic Programming Research Topic Presentation Each student will prepare a course project that applies the forensic programming methodology and tools, or researches a specific aspect of the subject. The project will consist of a presentation and a paper, due in weeks 11 (20020917) or 12 (20020924). Both the paper and the presentation should reflect professional preparation. The presentation is expected to usefully occupy fifteen minutes of class time: the paper should be approximately 20 pages in length. Assume that both works are to be presented to an appropriate audience, such as a lawyer or a court of law: an educated, but not necessarily technically literate group. In other words, make certain that you explain all technical aspects clearly. A short written submission with your choice of topic, an outline of what you will present, and your choice of presentation date is due in week 5, 20020806. The content of the paper and presentation should be useful and analytical. Marketing or promotional material is not acceptable, unless it is critically analyzed. Oral presentations will be marked on the basis of content, organization and structure, style/presentation/speaker appearance, use of visual aids, audience participation, and adherence to time limits. The presentation content should clearly follow the written paper upon which it is based (if applicable). The topic should be relevant and address the assignment specifications. The content presented should be comprehensive, accurate, and believable. The key points should be noted. The topic should be researched adequately. The presentation should be well-organized, clear, and effectively structured. (If there is a group presentation, it should be integrated rather than being a disjointed series of individual presentations.) There should be an introduction to gain the audience's attention and explain the purpose of the presentation. Dress and grooming should be appropriate to the suggested setting. Non-verbal cues and gestures should be appropriate to the presentation and flow of ideas. Content knowledge and confidence should be evident to the instructor and audience. Time must be used well and the presentation should not be rushed. Visual aids should used where appropriate (and should not merely be thrown in to cover a lack of research or depth). Visual aids should be appropriately professional given the presentation's context. Any graphics or illustrations should be easy to see and read. Media should be used correctly--i.e., overheads, videos, computer generated slides, charts, etc. Visual aids should contribute to the overall effectiveness of the presentation, and should definitely not detract from it. The presenter(s) should involve the audience and solicit feedback. Questions from the audience should be effectively addressed and answered correctly. The presenter(s) must stay within the allotted time limit. (Failure to do so may result in a deduction of points. However, a lack of material will definitely result in loss of marks.) Written assignments will be marked on the basis of content/development, organization, and style/mechanics. Students should ensure that in the subject matter of the assignment, key elements of assignments are covered, content is comprehensive, accurate, and persuasive, the text displays an understanding of relevant theory, major points are supported by specific details and examples, research is adequate and timely, and there is clear evidence that the student has gone beyond the textbook for resources. The assignment should also demonstrate higher-order thinking: the writer should compare, contrast, and integrate the theory and subject matter with the work environment and life experience, and the writer should analyze and synthesize theory and practice to develop new ideas and ways of conceptualizing and performing. The introduction should provide a sufficient background on the topic and previews major points. The central theme and purpose should be immediately clear. The structure should be clear, logical, and easy to follow. Subsequent sections should develop and support the central theme. The conclusion and recommendations should follow logically from the body of the paper. Marks: outline structure and presentation analysis complete coverage Total / Choice of topic, outline, and date due in class 5 20020806 Due in class 11 (20020917) or 12 (20020924) BCIT Forensic Programming (COMP 7615) Instructor: Robert Slade Student Data Sheet Name: Student number: Email: Programming languages known: C __ C++ __ Java __ Visual Basic __ COBOL __ Pascal __ Assembler __ Other: If you manage Web pages or sites that you would be willing to share, list the URLs here: What experience have you had with information security, or with forensic computer work? What are you expecting to get from this course? Are there any topics *not* listed on the course syllabus that you would like to have included? BCIT Policy Information for Students Assignments: Late assignments or projects will not normally be accepted for marking. Assignments must be done on an individual basis unless otherwise specified by the instructor. Attendance: Students are expected to attend classes regularly in accordance with the current BCIT calendar attendance policy. If you miss assignments, quizzes, tests, projects or exam, you may, at the discretion of the instructor, complete the work missed or have the work prorated (i.e. an average is given according to your performance throughout the course). Course Outline Changes: The material specified in this course outline may be changed by the instructor. If changes are required, they will be announced in class. Ethics: BCIT assumes that all students attending the Institute will follow a high standard of ethics. Incidents of cheating or plagiarism will be dealt with in accordance with BCIT's Conduct and Attendance Policy in the calendar and, may result in a grade of zero for the assignment, quiz, test, exam or project for all parties involved and/or expulsion from the course. Makeup Tests, Exam or Quizzes: There will be no makeup tests, exams or quizzes. If you miss a test, exam or quiz, you will receive zero marks. Exceptions or alternate arrangements *may* be made for documented medical reasons or extenuating circumstances. Additional Expectations Note that participation is expected in this course. Students should read the course outline and relevant materials in advance of the class, and be prepared to contribute relevant questions and comments demonstrating research and consideration. Arguments, when offered, should be substantiated and persuasively presented. Your participation should be such that the course is enhanced by your presence. Note that assignments in this course have specific listed requirements, and marks are given only for the required elements included in the assignment. Assignments must be complete in order to obtain full marks. Marks lost by failing to fulfill required elements of the assignment cannot be made up by adding material to other sections, or adding elements not required by the assignment. For example, an essay may typically require a problem statement (1 mark), research (2 marks), analysis (1 mark), and a conclusion (1 mark). Stating an opinion in place of a proper analysis of the data obtained in research would result in the loss of the mark for analysis, and this mark could not be made up by adding random facts to the research section. copyright Robert M. Slade, 2002