Notices

  • End of course survey

    Posted by Tek Huynh Saturday 10 November 2018, 09:38:31 PM.

    Hey guys,

    Congratulations on completing the Digital Forensics course.

    If you have a few spare minutes, could you please fill out this survey so we can improve the course next year. We take this feedback seriously and onboard in future iterations of the course and we sincerely appreciate any feedback:

    https://goo.gl/forms/ZrVXCqelnDijlfw22

    We will release more information about a supplementary exam at a later date.

    If you have any other formal questions, please let us know at cs6445@cse.unsw.edu.au.

    I had lots of fun working with all of you.

    Tek

  • Exam Instructions and Downloads

    Posted by Roland Wen Saturday 10 November 2018, 10:37:31 AM.

    Hi everyone,

    Today is the day!

    The exam instructions are available at:

    https://exam.6445.sec.edu.au/

    Make sure you read the instructions carefully, at least twice.

    The exam files are encrypted so check that you're able to decrypt files using GPG. The instructions include a test file for you to test decrypting.

    If you are using your own laptop you can download the encrypted exam files before the exam (the prac image is about 200 MB).

    All the best, see you in the exam!

    Cheers, Roland

  • Exam VM

    Posted by Tek Huynh Friday 09 November 2018, 12:40:20 AM.

    General VM Info

    • Use of the VMs is optional. You may use your own laptop, use the lab computers, or both.
    • You will be provided with 2 VMs to use during the exam. There will be a prompt allowing you to select between the two.
    • The VMs can only run 1 at a time.
    • The VMs do not persist changes, so any saved files will be lost when you exit the VM.
    • To help you with this limitation, you may use this tool to save your exam write-ups on the class account
    • These VMs will already have the files for the practical section of the exam mounted onto the CD/DVD Drive, so no need to download them again. You will still need to download the theory questions as they are bundled separately.
    • You may download and install extra tools on the VMs if you wish during your exam time. You will be given the sudo/admin passwords to both VMs.
    • We will give you links to the exam files along with all the exam instructions tomorrow. (hopefully)

    Windows 10 VM

    • Volatility
    • Redline
    • Autopsy
    • FTK Imager
    • Notepad
    • Note: Please do not login as Administrator as this will trigger Windows Updates. The VM should already be logged in when you start it. You may need Administrator access to install or access things. This should be ok.

    Linux VM - Ubuntu 14.04

    • Emacs
    • Vim
    • VSCode
    • Sublime
    • The Sleuth Kit (TSK)
    • Volatility
    • Binwalk
    • Xattr
    • Binary Ninja
    • IDA
    • Radare2
    • Pwndbg
    • Pwntools

  • Info on Exam Contents

    Posted by Roland Wen Tuesday 06 November 2018, 10:55:42 PM.

    Hi everyone,

    Hope the study is going well!

    Here's some information on the contents of the exam.

    Cheers, Roland


    Examinable material

    The exam can include any material covered in:

    • lectures by Tim (this excludes the two guest lectures and the extended presentations)
    • lab exercises
    • assignments.

    Exam structure

    The exam has two parts worth 50% each: theory and practical. The exam is 3 hours and we recommend spending 1.5 hours on each part. But you're free to split the time however you wish.

    The theory part will have scenario questions with short answers. Here is a sample question: https://drive.google.com/open?id=1vIBScUKelt0HLnhxoOyo30GtsUM0zAQJ

    The practical part will have exercises like the labs and assignments. Answers to prac exercises will include short, informal write-ups, like a very light journal. Write-ups are worth half the marks.

    Since this is an exam the write-ups are not expected to be as detailed as in the assignments. But they must still be professional and contain enough detail for someone not familiar with the exercise to understand and follow the steps taken.

    Redoing the lab and assignment exercises, and practising journalling will be good preparation for the prac.

    Exam rules

    We want the exam to be as realistic and open as possible. The exam is open book and open Internet, and you can bring your own laptop so that you can use your preferred tools. But don't bring your gaming rig or 60 inch monitor.

    Exam conditions apply, so you must not attempt any unauthorised communication with others during the exam. The Good Faith Policy also applies.

    Supplementary exam

    A supplementary exam will be automatically offered to anyone who fails the exam but passes the theory part.

  • Exam details

    Posted by Tek Huynh Monday 05 November 2018, 08:26:26 PM.

    Hey guys,

    The exam will be held in the J17 level 3 labs this Saturday.

    The exam will run in the afternoon and start at 2.00pm so aim to be there at 1.45pm.

    Please remember to bring you student ID card.

    You may view your seating allocations here https://cgi.cse.unsw.edu.au/~cs6445/18s2/seating/final/register.cgi/allocations

    If you have not been allocated a seat, please contact the class account ASAP at cs6445@cse.unsw.edu.au

    I have also uploaded the Week 4 and Week 5 quiz which were done in class. They are under tutorials.

    Love Tek

  • Definitely an interesting notice!

    Posted by Nina Rodgers Monday 22 October 2018, 06:36:09 PM.

    Hello!

    A friendly reminder to please hop on and do your myExperience survey. We actually look at this data and make changes to our courses.

    Last semester, we received lots of really constructive feedback for COMP6443 Web Apps and we will be implementing all of the suggestions made. We really value what you guys have to say and we do our best to deliver quality content to you.

    So please, tell us all your thoughts and feelings! And if it doesn't fit into the framework of the survey, send us an email or let's get a coffee!

    Thank you!

    Nina

    PS. Do the survey!

  • 6445assn2v2 Re-release

    Posted by Sketch Tuesday 16 October 2018, 09:08:10 PM, last modified Tuesday 16 October 2018, 09:13:40 PM.

    Assignment 2 Re-release

    Administrations

    Howdy everyone! Assignment 2 is scheduled to be re-released today, and announcement is due regarding the state of the original image that was provisioned out. Due to the nature of the Windows 10 architecture and being alerted by a student that there were strings in memory that were uncharacteristic of a fresh install, it was important to warn students of the possible presence of malware within the image rather than allowing you (the students) to engage with it with ignorance. The reason I had chosen windows 10 as the assignment image is to provision a challenge and opportunity to work on bleeding edge technology as opposed to outdated technology that works better with volatility.

    The worst case scenario is that a sophisticated and targeted attack had infected every process and hooked every single win32k function pointer in the system service descriptor table, but upon inspection it looks like the malware strings resident in memory are attributed to a Windows 10 anti-spyware processes (MsMpEng.exe).

    Explanation

    It has been difficult trying to guarantee a predictable behaviour from Windows 10 memory, primarily due to volatile nature of RAM and Windows 10 as a product developed in-house and without fully transparent documentation. The investigation has lead to conclusion that "There is no evidence that suggests that the image has been infected with malware.". There are malware strings in the memory image, but this is now 'normal' according to Windows security processes. Students are encouraged to investigate what kind of malware strings are in memory (but remain vigilant and cautious on following the URLS). Attributing the strings to a process in memory is a different problem, but possible. You should try it with the new image.

    You don't need to execute anything extracted or debug anything (if you want). You could reverse engineer it or hexdump it too. Static analysis rocks.

    The release of the image was rushed such that there was not enough time to confirm that flags which otherwise should be in memory were there.

    The re-release of the image marks an improvement in that it is measured.

    Here is the link to the new image Good luck have fun - Sketch

    Assignment Due Date

    The new due date for the assignment is on: Tuesday the 30th October at 11:59 PM

    We are shortening the assignment so that you will be marked out of a total of 7 flags instead of 10 flags. Though more are in the image, you only need 7 to get 100% completion for this part of the assignment. You will need to work with what you have in order to find what you want.

    Volatility should help you greatly, but you should remember certain commands for later.

    If you have any questions about the assignment, post in the WebCMS forum.

    And if you have any feedback let us know over here once you have finished:

    https://docs.google.com/forms/d/1XRUrawcbscu26LNzP...

  • Project presentations for extended students

    Posted by Roland Wen Sunday 14 October 2018, 06:25:25 PM.

    Hi everyone,

    The presentations will all be in the Week 13 lecture. The project page has been updated with the details:

    https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20643

    If your group is missing or your topic is incorrect, post a reply in the forum and we'll fix it up.

  • STOP DOING ASSIGNMENT 2 IMMEDIATELY

    Posted by Tek Huynh Monday 08 October 2018, 11:40:29 PM.

    Hi guys,

    Please stop doing the assignment immediately .

    • We have found that the virtual machine, of which the image was taken, had been unintentionally infected with malware.
    • The 3GB image itself is not harmful to have on your system.
    • The danger is when processes are extracted and run.
    • Do not extract the windows processes and run them as the extracted program may contain malware.

    At the moment, we are rebuilding the image - hopefully without any malware or other malicious entities. The image will then be redistributed and you will get an extension accordingly.

    If you have already extracted and run the process on your native Windows installation, we suggest you remove all extracted executables from your machine and stop using your computer now. We will get back to you ASAP on details about the malware and the possibility of removal.

    If you have used a Windows VM to run the extracted processes, infection is possible to the host machine but at this point we don’t know if the malware has the ability to escape the VM. This is only an issue if you run a windows VM on a windows Host as we currently believe the malware can only target windows machines.

    We are very sorry for any inconvenience this has caused.

    If this was an incident response assignment, and forewarning was given of the existence and nature of the malware in the image this would be an interesting assignment. But as of yet, no knowledge of how the virtual machine was infected by the malware (whether it was infected by the host, targeted attack or drive by download). The malware itself, looks primarily to be one of adware (with iframe injection functionality), however there are obfuscated PowerShell commands in memory too and the above two processes have been to contain malware signatures.

    You are free to continue working on the image at your own risk, but we highly recommend that you do not.

  • Registration reminder for extended students

    Posted by Tek Huynh Friday 05 October 2018, 10:00:17 AM.

    Hi guys,

    Extended students need to register their groups by Wednesday. Those who register earlier will have a higher likelihood to receive their preferred presentation time slot. Indication of preference for time slots will be open soon.

    I have also given you an extension on the submission of your extended project. This is to give you the opportunity to ask your tutor questions during the tutorial and make any final adjustments before submission. The due date has been revised to Week 12 Wednesday 17th October 23:59:59.

    If you fail to register your group, you will fail to make a submission and receive 0 for your project.

    You may register your group here:

    https://goo.gl/forms/wjOx8mdlSrEc1gg03

    You may view the groups here:

    https://docs.google.com/spreadsheets/d/16PYZmY84wPOp9mYix_lGPdhp8gMJSrgA0dpHpZ35cU4/edit?usp=sharing

  • Assignment 2

    Posted by Tek Huynh Friday 05 October 2018, 09:31:34 AM.

    Hi guys,

    Assignment 2 has been released. It is still a draft as a few more things need to be filled in. There should be enough information for you to get started though. You can find the spec here:

    https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/21277

  • Lecture Tonight

    Posted by Tek Huynh Thursday 04 October 2018, 02:25:45 PM.

    Hi guys,

    The lecture will still be running tonight at the same time and place as previous weeks. Sorry for the confusion.

    Also, the assignment spec will be released as soon as we have the image uploaded. Sketch has made many attempts at uploading the image but has failed. Sorry for the delay.

    Tek

  • Extended Students - Register your groups

    Posted by Tek Huynh Wednesday 03 October 2018, 03:55:15 PM.

    Hi guys,

    If you are in the extended stream, please register your groups here: https://goo.gl/forms/1lrSx7NZUjBExWan1

    You need fill in this form to get marks for your extended portion

    Thanks

  • Tutorial Changes

    Posted by Tek Huynh Tuesday 02 October 2018, 12:55:58 PM.

    Hi guys,

    • Yesterdays Monday tutorial was cancelled because of a public holiday
    • Tuesdays tutorials next week will be cancelled because of CySCA
    • If you missed yesterdays tutorial because of the public holiday, you will attend next weeks tutorial as usual.
    • If you are going to miss next weeks tutorial because of CySCA, you will attend this weeks tutorial as usual but not next week.

    The tutorials will have the same content for the next 2 weeks of tutorials. You will be effectively attending 1 tutorial for the next 2 weeks. You do not need to attend another tutorial to make up for cancelled tutorial.

    Tek

  • Lecture Cancellation

    Posted by Tek Huynh Thursday 20 September 2018, 03:27:50 PM.

    Hey guys,

    Our guest lecturer today has fallen ill and is not able to give a lecture today (20 September 2018). This means there will not be a lecture running today. We are sorry for any inconvenience caused. The topic that was meant to be presented this week is not assessable.

    Tek

  • FAQ has been updated

    Posted by Tek Huynh Wednesday 19 September 2018, 01:35:27 PM.

    Hey guys,

    The FAQ has been updated with questions from students and the answers to them. I highly recommend you have a read of this page. You can find the FAQ at " Assignments > Assignment 1 > Assignment 1 Group Component FAQ " or at the following link.

    https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20973

    Tek

  • Assignment 1 Groups

    Posted by Tek Huynh Thursday 13 September 2018, 04:55:52 PM.

    Hi guys,

    So I'm really sorry and I've lost track of all the groups that were supposed to be made because I wrote it on paper and thought I could keep track of this stuff. If you could please coordinate yourselves and submit the zIDs for your group, that would be greatly appreciated.

    Remember that you need a group to have a valid submission. Do not submit before your group number shows up here: https://webcms3.cse.unsw.edu.au/COMP6445/18s2/users/grades

    Please fill out this form to register your group:

    https://goo.gl/forms/y0PfOjfhRLXo95M22

    You can view groups here:

    https://docs.google.com/spreadsheets/d/1tUmFFZtukrwhGtSXgKUTs7x5Vhjkj6oEcviTYSDec3s/edit?usp=sharing

    Thanks you so much.

    Tek

  • Example reports available

    Posted by Tek Huynh Tuesday 11 September 2018, 09:57:36 AM, last modified Tuesday 11 September 2018, 12:38:40 PM.

    Hey guys,

    Example reports for the group component of assignment 1 are available here https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20636

    These reports are an interesting read and not at all dry in my opinion. So remember that the reports you write as a group are about quality and not quantity.

    If you have any questions about this part of the assignment, please do not hesitate to ask on the slack. You may also ask here:

    https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20973

    I will figure out the best way to collate these questions and maintain an FAQ.

    Get crackin,

    Tek

  • Transitioning from drive to memory and malware forensics

    Posted by Sketch Monday 10 September 2018, 10:30:38 PM.

    Hey friends,

    The notes for the tutorial this week are out. I've indexed and shared a toolkit with some descriptions to help you with windows process analysis. It's worth getting yourself a free windows license from the CSE/microsoft imagine store. It's nice to put those free licenses to use. You should then consider installing FlareVM (By Fireye, link in the notes) which installs a superset of the tools that are discussed. Notes are available here .

    If you haven't already told me your zIDs in class, a form for it will be coming out soon for you to submit your alliances/allegiances. If you want to put the tools to that VM to good use, check out https://2018.flare-on.com

  • Assignment 1 Image 2

    Posted by Roland Wen Monday 03 September 2018, 08:15:11 AM.

    Hi everyone,

    Image 2 is now ready:

    https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20790

  • No Lecture

    Posted by Tek Huynh Wednesday 29 August 2018, 11:35:54 AM.

    Hey guys,

    There will be no lecture this week (Week 6 Thursday 30/07/18). Please use this time to get started with your assignments and remember that we will do a portfolio checkup next week.

    Tek

  • My First Forensics Investigation

    Posted by Roland Wen Monday 27 August 2018, 09:27:59 AM.

    Hi everyone!

    Assignment 1 is ready for you to investigate: https://webcms3.cse.unsw.edu.au/COMP6445/18s2/resources/20636

    We'll be adding a few more details to the spec over the next week.

    You should investigate Image 1 this week. We'll release Image 2 at the end of the week.

    Have fun! Post in the forums if you have any questions.

  • CTFd Platform

    Posted by Tek Huynh Thursday 23 August 2018, 12:04:51 PM.

    Hey guys,

    If you would like to have a place to submit your flags from the drive challenges, you can do so here:

    http://ctf.6445.sec.edu.au/challenges

    The page is not encrypted with https so please don't reuse passwords from any other online accounts. (You should never be doing this anyway)

    These don't count for marks. It's only for fun, satisfaction and bragging rights.

  • Notes and Challenges released for Week4

    Posted by Sketch Friday 17 August 2018, 12:37:36 AM.

    Hey friends!

    Got the chance to release the notes and challenges for this week, and I hope you enjoy the creativity that was employed in their construction and the obscure interfaces to which some of this weeks challenges have exposed. These challenges include HPA, MBR, steganography and using various logic/filetype encodings.

    Here's a set of tools that will help you:

    • xxd
    • binwalk
    • diff
    • mount
    • python
    • hdparm
    • ATATOOL
    • autopsy
    • redline
    • sed
    • strings
    • grep
    • fdisk
    • df
    • tsk
    • sift

    As mentioned in the tutorials, each set of challenges offers an opportunity to create a work journal depicting your applied forensic method. You can make a work journal for one set of challenges, a couple. But for each set of challenges you should also submit a reflection of what you had learned. You are encouraged to be introspective on these journals. You should start feeling comfortable with mounting volumes and determining file types by now. Have fun, I'd be very impressed if you got all the flags by the coming tutorial.

  • Tutorial Week 2

    Posted by Tek Huynh Monday 30 July 2018, 01:16:23 PM.

    Hello All,

    Tutorials will be on this week. In the tutes, we will be setting up some software for future use any maybe go through some simple exercises if we have time.

    Warm Regards,

    Tek

  • Welcome to COMP6[48]45 Digital Forensics and Incident Response!

    Posted by Nina Rodgers Monday 23 July 2018, 09:58:08 AM.

    Hello all!

    I hope you enjoyed your break! This is just a quick note to say that there will be no class for this subject this week.

    The email account for this course is cs6445@cse.unsw.edu.au and your course admin is Tek Huynh. This email address reaches both of us so should you have any questions, just send us a message.

    We will be in touch with more info soon!

    Kind regards,

    Nina


Back to top

COMP6445/COMP6845 18s2 (Digital Forensics and Incident Response) is powered by WebCMS3
CRICOS Provider No. 00098G