Boston University Metropolitan College Computer Science Department Fall Semester 2009 Course Information Course Number: Course Title: Class Location: MET CS 713 EL Advanced Digital Forensics: Malware Forensic Analysis Boston University Charles River Campus Metropolitan College (MET) Computer Lab 808 Commonwealth Avenue, 2 nd Floor Boston, MA 02215 Class Schedule: September 02, 2009 December 21, 2009 Instructor: E-mail: James Burrell burrell@bu.edu Course Description This course provides an introduction to the advanced digital forensic topic relating to malicious software (malware), which represents an increasing information security threat to computer systems and networks. Students will review software engineering design fundamentals and reverse engineering techniques utilized to conduct static and dynamic forensic analysis on computer systems and networks. Students will learn about the importance of forensic principles, legal considerations, digital evidence controls, and documentation of forensic procedures. This course will incorporate demonstrations and laboratory exercises to reinforce practical applications of course materials. Students will be required to conduct significant research and submit a report documenting the results of their research on a selected topic related to the course. Course Objectives 1. Develop a comprehensive understanding of the threats and risks posed by malicious software to network and computing systems. Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 1 of 6
2. Examine the methodology and techniques utilized to detect malware for incident detection, prevention, and response. 3. Demonstrate the ability to utilize applications to acquire, analyze, and decompile malware binary files in static and dynamic environments. 4. Understand the importance of maintaining the integrity of digital evidence and the ability to accurately document forensic analysis procedures. 5. Develop the ability to accurately document procedures and results in a forensic report. 6. Demonstrate the ability to review case studies and conduct independent research to develop an in depth understanding of a topic relating to malware forensic analysis. Course Textbooks REQUIRED TEXTBOOKS Malware: Fighting Malicious Code Ed Skoudis & Lenny Zeltser Prentice Hall. 2003. ISBN: 978-0-13101-405-3 Reversing: Secrets of Reverse Engineering Eldad Eilam Wiley Publishing, Inc. 2005. ISBN: 978-0764574818 OPTIONAL TEXTBOOK Malware Forensics: Investigating and Analyzing Malicious Code James M. Aquilina, Eoghan Casey, & Cameron H. Malin Syngress Publishing. 2008, ISBN: 978-1-59749-268-3 Instructional Methods This course will utilize a hybrid instruction method, which will consist of traditional classroom-based instruction combined with self-directed learning exercises facilitated using computer and Internet based technologies. This course will incorporate textbook reading assignments, lecture materials, interactive discussions, practical demonstrations, and laboratory exercises. The hybrid instruction format includes limited face-to-face on campus sessions and students should ensure their individual learning styles are consistent with self-directed learning methods in order to complete this course of study. Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 2 of 6
The course management system for this course will utilize the WebCT online learning environment (http://webct.bu.edu/) and official Boston University student e-mail accounts for course announcements, course documents, and assignments. Students are expected to check the WebCT site and their respective Boston University student e-mail accounts on a regular basis for class announcements and updated course materials. Course Requirements Class Sessions The course will include four (4) class sessions held at the Boston University campus. The class session will include lectures, laboratory exercises, and an interactive exchange of course related concepts and material. These sessions also provide students with the opportunity to interact with other students and schedule an individual meeting with the course instructor. The proposed class session dates are listed below (subject to change based on course and instruction requirements): Class Session 01 September 12, 2009 9:00 AM 12:00 PM Class Session 02 October 17, 2009 9:00 AM 12:00 PM Class Session 03 November 07, 2009 9:00 AM 12:00 PM Class Session 04 December 05, 2009 9:00 AM 12:00 PM Homework Assignments Homework will be assigned during the semester to reinforce topics presented during classroom sessions. Homework assignments and student submissions will be facilitated using WebCT. All homework must be the original effort of the student submitting the assignment. Homework assignments that are not submitted prior to the due date will not be accepted (without the prior approval of the course instructor) and the student will not receive credit for the respective assignment. Laboratory Exercises Laboratory exercises will be assigned during the semester to reinforce practical applications of course instruction and provide students with an opportunity to develop experience in the configuration and operation of forensic and information security software applications. Laboratory exercises and student submissions will be facilitated using WebCT. All laboratory exercises must be the original effort of the student submitting the exercise. Laboratory exercises not submitted prior to the due date will not be accepted (without the prior approval of the course instructor) and the student will not receive credit for the respective exercise. Research Project A research project will be required in this course to explore a selected topic related to malware forensic analysis. Each student must submit a research Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 3 of 6
paper detailing their research findings. Research projects submitted after the due date will not be accepted and the student will not receive credit for this course element. Important Notice Students are expected to research and identify sources of credible information relating to their research topic. All sources of information must be acknowledged by the student (including written sections, diagrams, and pictures). If an exact copy of the source material is used, those passages must be within quotation marks to note they are not original statements of the student. Failure to acknowledge a source used may be considered a violation of the copyright act or the student academic conduct code. Mid-Term and Final Examination The mid-term and final examinations are cumulative and will be based on course textbook reading assignments, lecture materials and presentations, interactive class discussions, homework assignments, practical demonstrations, and laboratory exercises. Computer and Internet Access Requirements This course utilizes an online learning management system and incorporates the use of computer based software applications for laboratory exercises, which requires students to have computer and Internet connectivity. Students are required to have access to a desktop or laptop computer system with sufficient processing, memory, and storage resources and authorization to install course related software applications. Students may utilize the Boston University MET Computer Laboratory facilities during classroom sessions and during posted hours when the facility is available. It is the responsibility of individual student to ensure they have access to appropriate computing resources for the duration of the semester. Course Policies Attendance and Participation Students are expected to attend scheduled class sessions and participate in the active exchange of information in course discussion topics. Students are responsible for all material presented and discussed during class sessions, laboratory exercises, and course discussion topics. Instructor Office Hours The course instructor will be available for weekly online office hours and will be accessible through the listed Boston University faculty e-mail address. Students Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 4 of 6
may also schedule individual meeting with the instructor before or after the scheduled class sessions at the Boston University campus. Grading and Evaluation Final course grades will be determined by a weighted average of the homework assignments, laboratory exercises, research project, mid-term examination, and final examination in approximately the following manner (subject to change based on course and instruction requirements): Attendance and Participation 10 % Homework and Lab Assignments 15 % Mid-Term Examination 20 % Research Project 25 % Final Examination 30 % Student Academic Conduct Code All students entering Boston University are expected to maintain high standards of academic honesty and integrity. In Metropolitan College, the Student Academic Conduct Review Board, which is composed of students, faculty, and administrators, is responsible for the investigation of all charges of academic misconduct brought against students. Violations of this code are acts that constitute an attempt to be dishonest or deceptive in the performance of academic work in or out of the classroom. To alter academic records or to collaborate with another student or students is an act of academic misconduct. Violations include but are not limited to: cheating on examinations, plagiarism, misrepresentation or falsification of data, theft of an examination, stealing, unauthorized conversation is not allowed during examinations (any unauthorized conversation may be considered prima facie evidence of cheating), knowingly allowing another student to represent your work as his or her own, forgery, submitting the same work in more than one course without the consent of the instructors involved, and failure to comply with the sanctions imposed under the authority of this code. Student Notice of Criminal, Civil, and Administrative Responsibility The legal and authorized use of the materials, applications, processes, techniques or services described in this course, presented in written or verbal form, are the sole responsibility and liability of the individual student and the course instructor assumes no liability as to their use by student(s). The content and use of the course materials, applications, processes, techniques or services described in presentation materials or conveyed verbally by the course instructor may be limited or restricted by federal, state or local criminal and/or civil laws or the acceptable use in corporations, businesses or organizations. It is the Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 5 of 6
responsibility of the student to ensure that they do not perform any action, process or technique that could violate any criminal, civil or administrative laws, regulations and/or policies. There shall be no liability on the part of the course instructor for any loss or damage, direct or consequential arising from the use of this information or any action by student(s) that is determined to be in violation of any federal, state and/or local civil or criminal law, or for violation of any administrative regulation, policy or acceptable use policy that results in prosecution, or any loss, to include termination of employment, forfeiture, restitution or fines. Student enrollment in this course will constitute an agreement to the aforementioned terms and conditions of student responsibilities and liabilities. Proposed Course Topics (Course topics subject to change based on course and instruction requirements) TOPICS Introduction to Malware Analysis Incident Response Fundamentals Legal Aspects of Malware Forensics Malware Detection Methods and Technologies Malware Analysis Tools Fundamentals of Software Engineering and Design Forensic Acquisition of Malware Static Analysis of Malware Dynamic Analysis of Malware Forensic Documentation and Reports Boston University Course Syllabus MET CS-713 EL (Fall Semester 2009) Page 6 of 6