COMP40790 Application Forensics

Academic Year 2019/2020

New application programs appear frequently and it is not possible to develop and teach forensic techniques covering examination of ALL existing and future applications. This module teaches forensic experimentation and reverse engineering (through disassembly) in order to equip students with the ability and knowledge to perform their own forensic research of unknown software & hardware applications (including malware) and to use the results of the performed forensic research to draw credible conclusions from the available evidence.

The course is logically divided into two parts. The first six weeks are devoted to classical software reverse engineering using disassembly, interactive debugging and dynamic monitoting of software behaviour. The key reverse engineering tools (IDA Pro, OllyDbg, and others) are introduced by example of x86 malware reverse engineering.

The second part of the course focuses on deriving approximate models of software applications for forensic purposes using forensic experimentation, machine learning and probabilistic inference. Some of the more advanced research topics on the application of machine learning and statictical inference to digital forensics will be presented here. Python and ProbLog (a probabilistic extension of Prolog) will be used as the programming / analytical environment in this part of the course.

Optional reading:

1. Andrew Honig and Michael Sikorski, Practical Malware Analysis.
2. Chris Eagle, The IDA Pro Book.
3. Craig Adam, Essential Mathematics and Statistics for Forensic Science.
4. Darrel P. Rowbottom, Probability.
5. ProbLog (https://dtai.cs.kuleuven.be/problog/)

Show/hide contentOpenClose All

Curricular information is subject to change

Learning Outcomes:

Bythe end of this module the students will be able to perform reverse engineering of simple applications through disassembly and experimentation and use model-based reasoning to draw conclusions from the available evidence. More specifically, the students will be able to:

* Write and interpret x86 assembly code
* Reverse engineer binary x86 executable code using IDA Pro and related tools.
* Construct probabilistic models for given incident scenarios using ProbLog.
* Use digital evidence as a source of training data for training probabilistic models.

Student Effort Hours: 
Student Effort Type Hours
Lectures

24

Practical

24

Autonomous Student Learning

200

Total

248

Approaches to Teaching and Learning:
Not yet recorded 
Requirements, Exclusions and Recommendations

Not applicable to this module.


Module Requisites and Incompatibles
Not applicable to this module.
 
Assessment Strategy  
Description Timing Open Book Exam Component Scale Must Pass Component % of Final Grade
Examination: Written Examination 2 hour End of Trimester Exam Not specified Graded No

50

Assignment: Model-based reasoning assignment Week 12 n/a Graded No

25

Assignment: Reverse engineering assignment Week 6 n/a Graded No

25


Carry forward of passed components
Not yet recorded
 

Not yet recorded

Please see Student Jargon Buster for more information about remediation types and timing. 
Not yet recorded