Hey guys,
Congratulations on completing the Digital Forensics course.
If you have a few spare minutes, could you please fill out this survey so we can improve the course next year. We take this feedback seriously and onboard in future iterations of the course and we sincerely appreciate any feedback:
https://goo.gl/forms/ZrVXCqelnDijlfw22
We will release more information about a supplementary exam at a later date.
If you have any other formal questions, please let us know at cs6445@cse.unsw.edu.au.
I had lots of fun working with all of you.
Tek
Hi everyone,
Today is the day!
The exam instructions are available at:
Make sure you read the instructions carefully, at least twice.
The exam files are encrypted so check that you're able to decrypt files using GPG. The instructions include a test file for you to test decrypting.
If you are using your own laptop you can download the encrypted exam files before the exam (the prac image is about 200 MB).
All the best, see you in the exam!
Cheers, Roland
Hi everyone,
Hope the study is going well!
Here's some information on the contents of the exam.
Cheers, Roland
The exam can include any material covered in:
The exam has two parts worth 50% each: theory and practical. The exam is 3 hours and we recommend spending 1.5 hours on each part. But you're free to split the time however you wish.
The theory part will have scenario questions with short answers. Here is a sample question: https://drive.google.com/open?id=1vIBScUKelt0HLnhxoOyo30GtsUM0zAQJ
The practical part will have exercises like the labs and assignments. Answers to prac exercises will include short, informal write-ups, like a very light journal. Write-ups are worth half the marks.
Since this is an exam the write-ups are not expected to be as detailed as in the assignments. But they must still be professional and contain enough detail for someone not familiar with the exercise to understand and follow the steps taken.
Redoing the lab and assignment exercises, and practising journalling will be good preparation for the prac.
We want the exam to be as realistic and open as possible. The exam is open book and open Internet, and you can bring your own laptop so that you can use your preferred tools. But don't bring your gaming rig or 60 inch monitor.
Exam conditions apply, so you must not attempt any unauthorised communication with others during the exam. The Good Faith Policy also applies.
A supplementary exam will be automatically offered to anyone who fails the exam but passes the theory part.
Hey guys,
The exam will be held in the J17 level 3 labs this Saturday.
The exam will run in the afternoon and start at 2.00pm so aim to be there at 1.45pm.
Please remember to bring you student ID card.
You may view your seating allocations here https://cgi.cse.unsw.edu.au/~cs6445/18s2/seating/final/register.cgi/allocations
If you have not been allocated a seat, please contact the class account ASAP at cs6445@cse.unsw.edu.au
I have also uploaded the Week 4 and Week 5 quiz which were done in class. They are under tutorials.
Love Tek
Hello!
A friendly reminder to please hop on and do your myExperience survey. We actually look at this data and make changes to our courses.
Last semester, we received lots of really constructive feedback for COMP6443 Web Apps and we will be implementing all of the suggestions made. We really value what you guys have to say and we do our best to deliver quality content to you.
So please, tell us all your thoughts and feelings! And if it doesn't fit into the framework of the survey, send us an email or let's get a coffee!
Thank you!
Nina
PS. Do the survey!
Howdy everyone! Assignment 2 is scheduled to be re-released today, and announcement is due regarding the state of the original image that was provisioned out. Due to the nature of the Windows 10 architecture and being alerted by a student that there were strings in memory that were uncharacteristic of a fresh install, it was important to warn students of the possible presence of malware within the image rather than allowing you (the students) to engage with it with ignorance. The reason I had chosen windows 10 as the assignment image is to provision a challenge and opportunity to work on bleeding edge technology as opposed to outdated technology that works better with volatility.
The worst case scenario is that a sophisticated and targeted attack had infected every process and hooked every single win32k function pointer in the system service descriptor table, but upon inspection it looks like the malware strings resident in memory are attributed to a Windows 10 anti-spyware processes (MsMpEng.exe).
It has been difficult trying to guarantee a predictable behaviour from Windows 10 memory, primarily due to volatile nature of RAM and Windows 10 as a product developed in-house and without fully transparent documentation. The investigation has lead to conclusion that "There is no evidence that suggests that the image has been infected with malware.". There are malware strings in the memory image, but this is now 'normal' according to Windows security processes. Students are encouraged to investigate what kind of malware strings are in memory (but remain vigilant and cautious on following the URLS). Attributing the strings to a process in memory is a different problem, but possible. You should try it with the new image.
You don't need to execute anything extracted or debug anything (if you want). You could reverse engineer it or hexdump it too. Static analysis rocks.
The release of the image was rushed such that there was not enough time to confirm that flags which otherwise should be in memory were there.
The re-release of the image marks an improvement in that it is measured.
Here is the link to the new image
Good luck have fun - Sketch
The new due date for the assignment is on: Tuesday the 30th October at 11:59 PM
We are shortening the assignment so that you will be marked out of a total of 7 flags instead of 10 flags. Though more are in the image, you only need 7 to get 100% completion for this part of the assignment. You will need to work with what you have in order to find what you want.
Volatility should help you greatly, but you should remember certain commands for later.
If you have any questions about the assignment, post in the WebCMS forum.
And if you have any feedback let us know over here once you have finished:
Hi everyone,
The presentations will all be in the Week 13 lecture. The project page has been updated with the details:
https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20643
If your group is missing or your topic is incorrect, post a reply in the forum and we'll fix it up.
Hi guys,
Please stop doing the assignment immediately .
At the moment, we are rebuilding the image - hopefully without any malware or other malicious entities. The image will then be redistributed and you will get an extension accordingly.
If you have already extracted and run the process on your native Windows installation, we suggest you remove all extracted executables from your machine and stop using your computer now. We will get back to you ASAP on details about the malware and the possibility of removal.
If you have used a Windows VM to run the extracted processes, infection is possible to the host machine but at this point we don’t know if the malware has the ability to escape the VM. This is only an issue if you run a windows VM on a windows Host as we currently believe the malware can only target windows machines.
We are very sorry for any inconvenience this has caused.
If this was an incident response assignment, and forewarning was given of the existence and nature of the malware in the image this would be an interesting assignment. But as of yet, no knowledge of how the virtual machine was infected by the malware (whether it was infected by the host, targeted attack or drive by download). The malware itself, looks primarily to be one of adware (with iframe injection functionality), however there are obfuscated PowerShell commands in memory too and the above two processes have been to contain malware signatures.
You are free to continue working on the image at your own risk, but we highly recommend that you do not.
Hi guys,
Extended students need to register their groups by Wednesday. Those who register earlier will have a higher likelihood to receive their preferred presentation time slot. Indication of preference for time slots will be open soon.
I have also given you an extension on the submission of your extended project. This is to give you the opportunity to ask your tutor questions during the tutorial and make any final adjustments before submission. The due date has been revised to Week 12 Wednesday 17th October 23:59:59.
If you fail to register your group, you will fail to make a submission and receive 0 for your project.
You may register your group here:
https://goo.gl/forms/wjOx8mdlSrEc1gg03
You may view the groups here:
https://docs.google.com/spreadsheets/d/16PYZmY84wPOp9mYix_lGPdhp8gMJSrgA0dpHpZ35cU4/edit?usp=sharing
Hi guys,
Assignment 2 has been released. It is still a draft as a few more things need to be filled in. There should be enough information for you to get started though. You can find the spec here:
https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/21277Hi guys,
The lecture will still be running tonight at the same time and place as previous weeks. Sorry for the confusion.
Also, the assignment spec will be released as soon as we have the image uploaded. Sketch has made many attempts at uploading the image but has failed. Sorry for the delay.
Tek
Hi guys,
If you are in the extended stream, please register your groups here: https://goo.gl/forms/1lrSx7NZUjBExWan1
You need fill in this form to get marks for your extended portion
Thanks
Hi guys,
The tutorials will have the same content for the next 2 weeks of tutorials. You will be effectively attending 1 tutorial for the next 2 weeks. You do not need to attend another tutorial to make up for cancelled tutorial.
Tek
Hey guys,
Our guest lecturer today has fallen ill and is not able to give a lecture today (20 September 2018). This means there will not be a lecture running today. We are sorry for any inconvenience caused. The topic that was meant to be presented this week is not assessable.
Tek
Hey guys,
The FAQ has been updated with questions from students and the answers to them. I highly recommend you have a read of this page. You can find the FAQ at " Assignments > Assignment 1 > Assignment 1 Group Component FAQ " or at the following link.
https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20973
Tek
Hi guys,
So I'm really sorry and I've lost track of all the groups that were supposed to be made because I wrote it on paper and thought I could keep track of this stuff. If you could please coordinate yourselves and submit the zIDs for your group, that would be greatly appreciated.
Remember that you need a group to have a valid submission. Do not submit before your group number shows up here: https://webcms3.cse.unsw.edu.au/COMP6445/18s2/users/grades
Please fill out this form to register your group:
https://goo.gl/forms/y0PfOjfhRLXo95M22
You can view groups here:
https://docs.google.com/spreadsheets/d/1tUmFFZtukrwhGtSXgKUTs7x5Vhjkj6oEcviTYSDec3s/edit?usp=sharing
Thanks you so much.
Tek
Hey guys,
Example reports for the group component of assignment 1 are available here https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20636
These reports are an interesting read and not at all dry in my opinion. So remember that the reports you write as a group are about quality and not quantity.
If you have any questions about this part of the assignment, please do not hesitate to ask on the slack. You may also ask here:
https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20973
I will figure out the best way to collate these questions and maintain an FAQ.
Get crackin,
Tek
Hey friends,
The notes for the tutorial this week are out. I've indexed and shared a toolkit with some descriptions to help you with windows process analysis. It's worth getting yourself a free windows license from the CSE/microsoft
imagine
store. It's nice to put those free licenses to use. You should then consider installing FlareVM (By Fireye, link in the notes) which installs a superset of the tools that are discussed. Notes are available
here
.
If you haven't already told me your zIDs in class, a form for it will be coming out soon for you to submit your alliances/allegiances. If you want to put the tools to that VM to good use, check out
https://2018.flare-on.com
Hi everyone,
Image 2 is now ready:
https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20790
Hey guys,
There will be no lecture this week (Week 6 Thursday 30/07/18). Please use this time to get started with your assignments and remember that we will do a portfolio checkup next week.
Tek
Hi everyone!
Assignment 1 is ready for you to investigate: https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20636
We'll be adding a few more details to the spec over the next week.
You should investigate Image 1 this week. We'll release Image 2 at the end of the week.
Have fun! Post in the forums if you have any questions.
Hey guys,
If you would like to have a place to submit your flags from the drive challenges, you can do so here:
http://ctf.6445.sec.edu.au/challenges
The page is not encrypted with https so please don't reuse passwords from any other online accounts. (You should never be doing this anyway)
These don't count for marks. It's only for fun, satisfaction and bragging rights.
Hey friends!
Got the chance to release the notes and challenges for this week, and I hope you enjoy the creativity that was employed in their construction and the obscure interfaces to which some of this weeks challenges have exposed. These challenges include HPA, MBR, steganography and using various logic/filetype encodings.
Here's a set of tools that will help you:
As mentioned in the tutorials, each set of challenges offers an opportunity to create a work journal depicting your applied forensic method. You can make a work journal for one set of challenges, a couple. But for each set of challenges you should also submit a reflection of what you had learned. You are encouraged to be introspective on these journals. You should start feeling comfortable with mounting volumes and determining file types by now. Have fun, I'd be very impressed if you got all the flags by the coming tutorial.
Hello All,
Tutorials will be on this week. In the tutes, we will be setting up some software for future use any maybe go through some simple exercises if we have time.
Warm Regards,
Tek
Hello all!
I hope you enjoyed your break! This is just a quick note to say that there will be no class for this subject this week.
The email account for this course is cs6445@cse.unsw.edu.au and your course admin is Tek Huynh. This email address reaches both of us so should you have any questions, just send us a message.
We will be in touch with more info soon!
Kind regards,
Nina