Forensic Programming course outline and syllabus

(maintained by Rob Slade)

Computer forensics is primarily seen in terms of the recovery, and preservation for presentation as evidence, of data from computers that may have been used in the commission of some criminal activity. Occasionally this definition is extended to include analysis of data from network logs.

Forensic programming is a little known field. It involves the analysis of program code, rather than residual data, generally object or machine language code, in order to make a determination of, or provide evidence for, the intent or authorship of a program.

As forensic programming was pioneered in the field of computer viruses, virus analysis will be a part of the course.

A major factor in the course will be the presentation of highly technical analysis of program code in such a way that non-technical people (particularly lawyers, judges, and juries) can understand the implications.

Lab sessions will be held to demonstrate forensic programming and analysis of code. Students will spend time in the labs doing analysis and disassembly of programs.

(Due to internationally agreed ethical standards for virus research, virus code will be provided to students for forensics and antiviral assessment lab work only, and special strictures will be placed on lab sessions to prevent dissemination of virus code from the lab. Laptop computers and removeable media may not be permitted in these lab sessions. The instructor will not provide sample viruses for students to analyze outside of lab sessions, except under very rigorous conditions, and backed up by outside referees. Students are encouraged to bring to class and lab sessions any viruses or malware that they have encountered outside of the class. Students are forbidden to attempt to write viruses as part of the course requirements or assignments. Viruses written or modified by students for fulfillment of any course requirements will NOT be accepted. Evidence that any students have written or modified virus code and distributed it, even to other course members, will result in automatic failure in the course.)

Course Goals

The objective is to impart the concepts involved in determination of characteristics of or in object code which might provide evidence of identity, cultural background, or intent. To this end, students should learn to identify programming cultures, cultural aspects of program design, cultural aspects of coding practice, cultural aspects of interface design, and differentiation between cultural and compiler imposed characteristics.

Course Learning Outcomes/Competencies

On completion of this module, the students will be equipped with the knowledge and techniques to proceed to further exploration, study and practice in examination of program code for evidence of signatures of compilers or other automated development tools, signatures of existing programs that have been modified or used as a foundation, signatures of different programming cultures, signatures or other indications of individual programmers and their identities, and indications of sequencing of different versions of a program.

The syllabus for the forensic programming course is available in text format. The text format file also has the assignments, which are also available as assignment 1, assignment 2, and assignment 3. This is version three, as of July 19, 2002. Please check regularly for updates. The BCIT server also has a version in Microsoft Word format, but the Word version is not necessarily maintained up to date at all times.

There is no available text for this course. Some books with relevant material are:

"Computer Forensics and Privacy", Michael A. Caloyannides

"Computer Forensics", Warren G. Kruse II/Jay G. Heiser

"Computer Virus Handbook", Harold Joseph Highland

"Viruses Revealed", Robert M. Slade/David Harley/Urs Gattiker

"Computer Ethics", Johnson

"Hackers: Crime in the Digital Sublime", Paul A. Taylor

"A Pathology of Computer Viruses", David Ferbrache

"Dissecting DOS", Podanoffsky

"PC Interrupts", Ralf Brown/Jim Kyle

"Assembly Language Step-by-Step", Jeff Duntemann

A relatively recent and (currently) low traffic mailing list on computer forensics is available at Yahoo.

Resources for the next module, lecture two, "black hat"/cracker communities, is available here or here.

For the course given at BCIT, a number of resources are available on the BCIT server at

Forensic programming table of contents: here or here.

Top level menu for security related book reviews: here or here.

Security glossary: here or here.