Thursday, August 25, 2011

Forensics Reading List

This is the list that my professor has decided we need to read or be familiar with.
Thought I would pass it along in case someone wanted some Article to read, or want to add to it.

Required Reading List

Note: The instructor may make minor changes or add a few more papers to this list during the semester.

Module I: Digital Forensics: An Overview

  1. [Required] Gary Palmer, A Road Map for Digital Forensic Research,  Digital Forensic Research Workshop (DFRWS), Final Report, Aug. 2001.
  2. [Required] Sarah Mocas, Building Theoretical Underpinnings for Digital Forensics Research, Digital Investigation, vol. 1, pp. 61-68, 2004.
Module II: Forensics Basics and Criminalistics

No required readings. Here is a reference book.
  1. Richard Saferstein, Criminalistics: An Introduction to Forensic Science, 8th edition, Prentice Hall, Inc., 2004, ISBN: 0-13-111852-8.
Module III: Basic networking and OS Concepts: A Review
No required readings. Please read CprE 308 and 489 textbooks whenever needed.
  1. Andrew Tanenbaum, Modern Operating Systems, 2nd Edition, Prentice Hall, Inc., 2001, ISBN: 0-13-031358-0.
  2. Alberto Leon-Garcia and Indra Widjaja, Communication Networks: Fundamental Concepts and Key Architectures, 1st Edition, McGraw-Hill Companies, Inc., 2000, ISBN 0-07-022839-6.
Module IV: Advanced Topics in Computer and Network Forensics
Forensic Duplication and Analysis
  1. [Required] Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure for Digital InvestigationsJournal of Digital Investigations - March 2004 edition, 2004.
  2. [RequiredThe survey of disk image formatsCDESF Technical Working Group, September 2006.
(More will be added).
Cyber Forensics Tools and the Testing Thereof
  1. Encase Online Manual (on Lab Machines)
  2. FTK Online Manual (on Lab Machines)
  3. Bruce Schneier and John Kelsey, Secure Audit Logs to Support Computer ForensicsACM Transactions on Information and System Security, v. 1, n. 3, 1999.
  4. Alec Yasinsac and Yanet Manzano, "Policies to Enhance Computer and Network Forensics," in Proceedings of the 2001 IEEE Workshop on Information Assurance and Security United States Military Academy, West Point, NY, 5-6 June, 2001.
  5. Eoghan Casey, Practical approaches to recovering encrypted digital evidence, Digital Forensic Research Workshop (DFRWS), Aug. 2002.
  6. Matthew Geiger, Evaluating Commercial Counter-Forensic ToolsDigital Forensic Research Workshop (DFRWS), Aug. 2005.
PDA and Cell Phone Forensic Analysis
  1. [Required] Wayne Jansen and Rick Ayers, Guidelines on PDA Forensics, NIST, August 2004.
  2. [[Required] Mobile Device Forensics (Blackberry, Android),, 2009.
Network Surveillance
(Will be added).
Profiling Cyber Criminals
  1. Eric Shaw, Keven G. Ruby, and Jerrold M. Post, The Insider Threat to Information Systems: The Psychology of the Dangerous Insider, Security Awareness Bulletin, No. 2-98. 1998.
Network Attack Traceback and Attribution
IP Traceback
  1. K. Shanmugasundaram, et al, Payload Attribution via Hierarchical Bloom Filtersin Proceedings of the ACM CCS 2004.
  2. [Required] A. Belenky and N. Ansari, Ip traceback with deterministic packet markingIEEE COMMUNICATIONS LETTERS, vol. 7, no. 4, pp. 162�164, Apr. 2003.
  3. [Required] Alex C. Snoeren, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Beverly Schwartz, Stephen T. Kent, and W. Timothy Strayer,Single-Packet IP Traceback, IEEE/ACM Transactions on Networking (ToN), Volume 10, Number 6, pp. 721-734, December 2002.
  4. Micah Adler, Tradeoffs in Probabilistic Packet Marking for IP Tracebackin Proceedings of 34th ACM Symposium on Theory of Computing (STOC) 2002.
  5. D. Song and A. Perrig, Advanced and authenticated marking schemes for ip traceback, in Proc. of IEEE INFOCOMM 2001, Apr. 2001.
  6. [Required] M. F. D. Dean and A. Stubblefield, An algebraic approach to ip traceback, in Network and Distributed System Security Symposium (NDSS �01), Feb. 2001.
  7. [Required] Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson, Practical Network Support for IP TracebackProceedings of the 2000 ACM SIGCOMM Conference, pp. 295-306, Stockholm, Sweden, August 2000.
  8. Steve Bellovin, ICMP Traceback Nessages, Network Working Group Internet Draft, 2000.
Stepping Stone Attack Attribution
  1. [Required] A. Blum, D. Song, and S. Venkataraman, Detection of interactive steping stones: Algorithms and confidence bounds, in 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), Sophia Antipolis, France, Sept. 2004.
  2. W. T. Strayer, C. E. Jones, I. Castineyra, J. B. Levin, and R. R. Hain, An integrated architecture for attack attribution, BBN Technologies, Tech. Rep. BBN REPORT-8384, Dec. 2003.
  3. [Required] X. Wang and D. S. Reeves, Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays, in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), Washington DC, USA, Oct. 2003.
  4. X. Wang, D. S. Reeves, and S. F. Wu, Inter-packet delay based correlation for tracing encrypted connections through stepping stones, in Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002), Zurich, Switzerland, pp. 244�263, Oct. 2002.
  5. D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay, in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, Oct. 2002.
  6. X. Wang, D. S. Reeves, S. F. Wu, and J. Yuill, Sleepy watermark tracing: An active network-based intrusion response framework, in Proceedings of 16th InternatConference on Information Security (IFIP/Sec�01), Paris, France, June 2001.
  7. [Required] K. Yoda and H. Etoh, Finding a connection chain for tracing intruders, in Proceedings of the 6th European Symposium on Research in Computer Security (ESORICS 2000), Toulouse, France, Oct. 2000.
  8. [Required] Y. Zhang and V. Paxson, Detecting stepping stones, in Proceedings of the 9th USENIX Security Symposium, Denver, USA, pp. 171�184, Aug. 2000.
VoIP Security, Caller-ID Services, and Tracing Anonymous VoIP Calls
  1. [Required] R. Kuhn, T. Walsh, and S. Fries, Security Considerations for Voice Over IP SystemsNIST Special Publication 800-58, January 2005.
  2. [RequiredX. Wang, S. Chen, and S. Jajodia, Tracking Anonymous Peer-to-Peer VoIP Calls on the Internet, in Proceedings of ACM CCS, 2005.
P2P Forensics
  1. [Required Robert Erdely, Thomas Kerle, Brian Levine, Marc Liberatore and Clay ShieldsForensic Investigation of Peer-to-Peer File Sharing Network, DFRWS 2010.
Botnets Investigative Analysis (Optional)

  1. Laurianne McLaughlin, Bot Software Spreads, Causes New Worries, IEEE DISTRIBUTED SYSTEMS ONLINE, Vol. 5, No. 6; June 2004.
  2. Bill Mccarty, Botnets: Big and Bigger, IEEE SECURITY & PRIVACY, JULY/AUGUST 2003.
  3. David Dagon, Guofei Gu, Cliff Zou, Julian Grizzard, Sanjeev Dwivedi, Wenke Lee, Richard Lipton, A Taxonomy of Botnets, NSF Cybertrust PI meeting, September 25, 2005.
  4. Felix C. Freiling, Thorsten Holz, and Georg Wicherski, Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks, tech report, Department of Computer Science, RWTH Aachen University, April 2005.
  5. Ramneek Puri, Bots & Botnet: An Overview, GSEC Practical Assignment Version, SANS Institute, August 2003.
  6. Evan Cooke, Farnam Jahanian, Danny McPherson, The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, USENIX SRUTI'05: Steps to Reducing Unwanted Traffic on the Internet Workshop, Cambridge, MA, July 7, 2005.
  7. Know your Enemy: Tracking Botnets, word version.
  8. [Required] Anirudh Ramachandran, et al., �Revealing Botnet Membership Using DNSBL Counter-Intelligence,� in SRUTI '06.
  9. [Required] Cliff C. Zou and Ryan Cunningham. �Honeypot-Aware Advanced Botnet Construction and Maintenance," in the International Conference on Dependable Systems and Networks (DSN), June 25-28, Philadelphia, 2006.
  10. [Required] David Dagon, Cliff C. Zou, and Wenke Lee. "Modeling Botnet Propagation Using Time Zones," in 13th Annual Network and Distributed System Security Symposium (NDSS), p.235-249, Feb. 2-4, San Diego, 2006.

(Will be added).
Multimedia Forensics and Multicast Fingerprinting

  1. [Required] H. Chu, L. Qiao, and K Nahrstedt, "A secure multicast protocol with copyright protection," Proceedings IS&T/SPIE Symposium on Electronic Imaging: Science and Technology, San Jose, CA, Jan. 1999.
  2. [Required] B. Briscoe and I. Fairman, "Nark: Receiver-based multicast non-repudiation and key management," ACM Conference on Electronic Commerce, Denver, CO, Nov. 1999.
  3. [Required] I. Brown, C. Perkins, and J. Crowcroft, "Watercasting: Distributed watermarking of multicast media," Network Group Communication, Pisa, Italy, pp. 286-300, Nov. 1999.
  4. [Required] P. Judge and M. Ammar, "WHIM: Watermarking multicast video with a hierarchy of intermediaries," Proc. NOSSDAC, Chapel Hill, NC, Jun. 2000.
  5. R. Parviainen and P. Parnes, "Large scale distributed watermarking of multicast media through encryption," in Proc. of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security Issues of the New Century, vol. 64, pp. 149�158, 2001.
  6. P. Judge and M. Ammar, "Security issues and solutions in multicast content distribution: a survey," IEEE Network, Jan./Feb. 2003.
  7. W. Trappe, M. Wu, Z.J. Wang, and K.J.R. Liu, �Anti-Collusion Fingerprinting for Multimedia�, IEEE Trans. on Signal Processing, vol 51, no 4, pp.1069-1087, special issue on Signal Processing for Data Hiding in Digital Media and Secure Content Delivery, April 2003.
  8. A. Eskicioglu, "Multimedia security in group communications: Recent progress in key management, authentication and watermarking," ACM Multimedia Systems, Special Issue on Multimedia Security 9, pp. 239�248, Sep. 2003.
  9. [Required] M. Wu, W. Trappe, Z.J. Wang, and K.J.R. Liu, �Collusion-Resistant Fingerprinting for Multimedia,� IEEE Signal Processing Magazine, Special Issue on Digital Rights: Management, Protection, Standardization, vol 21, no 2, pp.15-27, March 2004.
  10. Z.J.Wang, M.Wu, W. Trappe, and K.J.R. Liu, �Group-Oriented Fingerprinting for Multimedia Forensics,� EURASIP Journal on Applied Signal Processing, Special Issue on Multimedia Security and Rights Management, 2004:14, pp.2142-2162, Nov 2004.
  11. H. Zhao and K. J. R. Liu, "Bandwidth efficient fingerprint multicast for video streaming," IEEE Int. Conf on Acoustics, Speech and Signal Processing, May 2004.
  12. H. Zhao and K. J. R. Liu, "A secure multicast scheme for anti-collusion fingerprinted video," Global Telecommunications Conference, 2004.
  13. H. Zhao, M. Wu, Z.J. Wang, and K.J.R. Liu, �Forensic Analysis of Nonlinear Collusion Attacks for Multimedia Fingerprinting,� IEEE Trans. on Image Processing, vol 14, no 5, pp.646-661, May 2005.
  14.  Z.J. Wang, M. Wu, H. Zhao, W. Trappe, and K.J.R. Liu, �Anti-Collusion Forensics of Multimedia Fingerprinting Using Orthogonal Modulation,� IEEE Trans. on Image Processing, June 2005.
  15. [Required] H. Zhao and K.J.R. Liu, �Fingerprint Multicast for Secure Video Streaming,�  in IEEE Trans. on Image Processing.
Crime Scene Reconstruction: Evidence Linkage Discovery and Causal Reasoning
  1. [Required] J. Adibi, et al, The KOJAK Group Finder: Connecting the Dots via Integrated Knowledge-Based and Statistical Reasoningin Proceedings of the Sixteenth Innovative Applications of Artificial Intelligence Conference (IAAI-04), 2004.
  2. J. Zhang and V. Honavar, Learning Decision Tree Classifiers from Attribute Value Taxonomies and Partially Specified Data, in Proceedings of the International Conference on Machine Learning (ICML-03), 2003.
  3. [Required] J. Xu and H. Chen, The Topology of Dark Networks, Communication of ACM, Vol. 51, No.10, October 2008.
Stock Spam

  1. [Required] Frieder and Zittrain, Spam Works: Evidence from Stock touts and Corresponding Market Activity, working paper, March 2007.
  2. [Required] Hanke and Hauser, On the Effects of Stock Spam E-mails, working paper (later version published in the Journal of Financial Markets, 11(1), February 2008.
  3. [Required] Bohme and Holz, The Effect of Stock Spam on Financial Markets, working paper (also published in WEIS 2006), April 2006.

Case Studies
No required readings.
Module V: Investigative Techniques from Intrusion Detection and Response

  1. [RequiredH. Debar, M. Dacier, and A. Wespi, A Revised Taxonomy for Intrusion-Detection Systems, Research Report of IBM Zurich Research Lab, 1999.
General Model
  1. D. Denning, An Intrusion-Detection Model, 1986.
  2. R. Maxion and K. M. C Tan, Benchmarking Anomaly-Based Detection Systems, 2000.
Detection Method

Misuse Detection

  1. K. Ilgun, R. A. Kemmerer, and P. A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, 1995.
  2. C. Y. Chung, M. Gertz, and K. Levitt, DEMIDS: A Misuse Detection System for Database Systems, 1999.

Anomaly Detection

  1. H. S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, 1991.
  2. S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A Sense of Self for Unix Processes, 1996.
  3. D. Wagner and D. Dean, Intrusion Detection via Static Analysis, 2001.
  4. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni, A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors, 2001.
Learning (or Data Mining) Based Approaches
  1. C. Warrender, S. Forrest, and B. Perlmutter, Detecting Intrusion Using System Calls: Alternative Data Models, 1999.
  2. A. Valdes and K. Skinner, Probabilistic Alert Correlation, 2000.
Implementation Issues
  1. B. Mukherjee, L. T. Heberlein, and K. N. Levitt, Network Intrusion Detection, 1994.
  2. F. Kerschbaum, E. H. Spafford, and D. Zamboni, Using Embedded Sensors for Detecting Network Attacks, 2000.
  3. P. A. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, 1998.
  4. J. S. Balasubramaniyan, J. O. Garcia-Fernandez, D. Isacoff, E. H. Spafford, and D. Zamboni, An Architecture for Intrusion Detection Using Autonomous Agents, 1998.
  5. S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, J. Rowe, S. Staniford, R. Yip, D. Zerkle, The Design of GrIDS: A Graph-Based Intrusion Detection System, 1999.
  6. W. Lee, W. Fan, M. Miller, S. Stolfo, and E. Zadok, Toward Cost-Sensitive Modeling for Intrusion Detection and Response, 2001.
Evaluation Issues
  1. N. J. Puketza, K. Zhang, M. Chung, B. Mukherjee, and R. A. Olsson, A Methodology for Testing Intrusion Detection Systems, 1996.
  2. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. P. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation, 2000.
  3. R. P. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das, The 1999 DARPA Off-line Intrusion Detection Evaluation, 2000.

Module VI: Steganography & Steganalysis
  1. [Required] Ross J. Anderson and Fabien A. P. Petitcolas, INFORMATION HIDING: AN ANNOTATED BIBLIOGRAPHY, 1999.
  2. Ross Anderson, Fabien A.P. Petitcolas, On The Limits of Steganography, 1998.
Module VII: Anonymity/Pseudonymity/P3P
  1. [Required] David Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, CACM, v. 24, n. 2, pp. 84-88, 1981.
  2. [Required] David Chaum, The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability, Journal of Cryptology , 1/1, pp. 65-75, 1988.
  3. Michael Waidner. Unconditional sender and recipient untraceability in spite of active attacks. In Eurocrypt '89, volume Lecture Notes in Computer Science of 434, pages 302--319. Springer-Verlag, 1989.
  4. J. Bos and B. den Boer. Detection of disrupters in the DC protocol. In Lecture Notes in Computer Science 434 (Eurocrypt '89). Springer-Verlag, 1989.
  5. Ceki G�lc� and Gene Tsudik, Mixing Email with Babel, Proceedings of the 1996 Symposium on Network and Distributed System Security, 1996.
  6. [Required] P. Syverson, D. Goldschlag, and M. Reed, Anonymous Connections and Onion Routing, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, IEEE CS Press, pp. 44-54, May 1997.
  7. [Required] Michael Reiter and Aviel Rubin, Anonymous Webtransactions with Crowds, ACM Transactions on Information and System Security, v. 1, n. 1, pp. 66-92, 1998.
  8. Adam Back, Ulf M�ller, and Anton Stiglic, Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems, Lecture Notes in Computer Science, No. 2137, pp. 245, 2001.
  9. Clay Shields and Brian Neil Levine, A Protocol for Anonymous Communication Over the Internet, Proceedings of the 7th ACM Conference on Computer and Communication Security, Athens, Greece, Nov. 1-4, 2000.
  10. Rob Sherwood, Bobby Bhattacharjee, and Aravind Srinivasan, P5: A Protocol for Scalable Anonymous Communication, IEEE Symposium on Security and Privacy, 2002.
  11. Michael Freedman, Emil Sit, Josh Cates, and Robert Morris, Introducing Tarzan, a Peer-to-Peer Anonymizing Network Layerthe First International Workshop on Peer-to-Peer Systems, 2002.
  12. [Required] Yong Guan, Xinwen Fu, Riccardo Bettati, and Wei Zhao, "An Optimal Strategy for Anonymous Communication Protocols," in Proceedings of the 22nd IEEE International Conference on Distributed Computing Systems (ICDCS 2002), June 2002.
  13. George Danezis, Roger Dingledine, David Hopwood, and Nick Mathewson, Mixminion: Design of a Type III Anonymous Remailer2003 IEEE Symposium on Security and Privacy, May 2003.
  14. B. N. Levine, M. K. Reiter, C. Wang and M. Wright, Timing attacks in low-latency mix systems, In Financial Cryptography: 8th International Conference, FC 2004.
  15. Michael K. Reiter and Xiaofeng WangFragile Mixing, ACM CCS 2004.
  16. Platform for Privacy Preferences (P3P) Project,, 2002.
  17. [Required] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, Stefan Wolf, Pseudonym Systems, Selected Areas in Cryptography 1999, Lecture Notes in Computer Science.
Module VIII: Cyber Law, Security and Privacy Policies and Guidelines, and Legal Issues
  1. [Required] U.S. DoJ, Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section, US DoJ, 2002.
  2. Daniel Ryan and Gal Shpantzer, Legal Aspects of Digital Forensics, The George Washington University, 2000.
  3. J. Patzakis and V. Limongelli, Encase Legal Journal, Guidance Software, April 2004.
  4. SWGDE Document, Scientific Working Group on Digital Forensics, Arpil 2003.
  5. THE SEDONA PRINCIPLES: Best Practices Recommendations &Principles for Addressing Electronic Document Production, SEDONA Principles, Jan. 2004.
  6. ACPO GuideGood Practice Guide for Computer based Electronic Evidence, Association of Chief Police Officers,
  7. NIJ Guide, Electronic Crime Scene Investigation: A Guide for First Responders, 2001.
Module IX: Legal and Ethical Issues (Optional)
No required readings.
Module X: Court Report Writing and Testimony Skills
No required readings. Here are two useful documents:

  1. Judy Nodurft, Documentation and Writing Skills for Legal Reports, California Social Work Education Center (CalSWEC), University of California, Berkeley, 2001.
  2. ABA Litigation Section, Factors to Consider When Presenting Expert Testimony, ABA Litigation Section Annual Meeting, August 22, 2005.
Recent Cryptographic News on Hash Collision and Weakness
  1. Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu, Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive, Report 2004/199,, August 2004.
  2. Eli Biham and Rafi Chen, Near-Collisions of SHA-0, Cypto'2004.
  3. NIST's NSRL Project response on recent cryptographic news on hash collision and weakness, 2004.

My Additions:

Blogs (I know I am missing some):

  1. Sans Forensics Blog
  2. Harlan Carvey
  3. Fist full of Dongles
  4. Digital Forensics Solutions
  5. Tao Security

1 comment: