Difference between pages "Upcoming events" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Reverse-Engineering Projects)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
Many of these would make a nice master's project.
  
This listing is divided into four sections (described as follows):<br>
+
=Programming Projects=
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv.
+
==Small-Sized Programming Projects==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
* Modify [[bulk_extractor]] so that it can directly acquire a raw device under Windows. This requires replacing the current ''open'' function call with a ''CreateFile'' function call and using windows file handles.
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
* Rewrite SleuthKit '''sorter''' in C++ to make it faster and more flexible.
  
== Calls For Papers ==
+
==Medium-Sized Programming Projects==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
|- style="background:#bfbfbf; font-weight: bold"
+
** Automatically pull out the strings
! width="30%|Title
+
** Show histogram
! width="15%"|Due Date
+
** Detect crypto and/or stenography.
! width="15%"|Notification Date
+
* Extend [[fiwalk]] to report the NTFS alternative data streams.
! width="40%"|Website
+
* Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
|-
+
* Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
|Blackhat Briefings - Washington DC
+
* Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.
|Jan 01, 2009
+
|Jan 16, 1009
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html
+
|-
+
|Hacker Halted USA 2009
+
|Jan 15, 2009
+
|Feb 15, 2009
+
|http://www.eccouncil.org/hhusa/papers/page6.html
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009)
+
|Feb 01, 2009
+
|
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|Blackhat Briefings - Europe
+
|Feb 01, 2009
+
|Feb 15, 2009
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.
+
|-
+
|Usenix Security 2009
+
|Feb 04, 2009
+
|Apr 13, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|KDDD 2009
+
|Feb 02, 2009
+
|Apr 10, 2009
+
|http://www.sigkdd.org/kdd2009/
+
|-
+
|DFRWS 2009
+
|Mar 16, 2009
+
|Apr 28, 2009
+
|http://www.dfrws.org/2009/cfp.shtml
+
|-
+
|Layer One - 2009
+
|Apr 01, 2009
+
|Apr 15, 2009
+
|http://layerone.info/
+
|-
+
|ACM CCS 2009
+
|Apr ?? 2009
+
|
+
|http://www.sigsac.org/ccs
+
|-
+
|Usenix Lisa 2009
+
|Apr 30, 2009
+
|
+
|http://www.usenix.org/events/lisa09/cfp/
+
|-
+
|New Security Paradigms Conference 2009
+
|Apr ?? 2009
+
|
+
|http://www.nspw.org/current/
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov ?? 2009
+
|
+
|-
+
|ShmooCon 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|AusCERT Conference 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
|-
+
|}
+
  
== Conferences ==
 
{| border="0" cellpadding="2" cellspacing="2" align="top"
 
|- style="background:#bfbfbf; font-weight: bold"
 
! width="40%"|Title
 
! width="20%"|Date/Location
 
! width="40%"|Website
 
|-
 
|2009 DoD Cyber Crime Conference
 
|Jan 24-30<br>St. Louis, MO
 
|http://www.dodcybercrime.com/
 
|-
 
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
 
|Jan 25-28<br>Orlando, FL
 
|http://www.ifip119.org/Conferences/
 
|-
 
|ShmooCon 2009
 
|Feb 06-08<br>Washington, DC
 
|http://www.shmoocon.org/
 
|-
 
|American Academy of Forensic Sciences Annual Meeting
 
|Feb 16-21<br>Denver, CO
 
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
 
|-
 
|Blackhat DC
 
|Feb 16-19<br>Washington, DC
 
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html
 
|-
 
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
 
|Mar 08-12<br>Honolulu, HI
 
|http://www.acm.org/conferences/sac/sac2009
 
|-
 
|ARES 2009 Conference
 
|Mar 16-19<br>Fukuoka, Japan
 
|http://www.ares-conference.eu/conf/
 
|-
 
|Security Opus
 
|Mar 17-18<br>San Francisco, CA
 
|http://www.securityopus.com
 
|-
 
|e-Crime Congress 2009
 
|Mar 24-25<br>London, United Kingdom
 
|http://www.e-crimecongress.org/ecrime2009/
 
|-
 
|Blackhat Europe
 
|Apr 14-17<br>Amsterdam, The Netherlands
 
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html
 
|-
 
|AusCERT2009
 
|May 17-22<br>Gold Coast, Australia
 
|http://conference.auscert.org.au/conf2009/
 
|-
 
|Computer Security Institute: Security Exchange
 
|May 17-22<br>Las Vegas, NV
 
|http://www.csisx.com/
 
|-
 
|ADFSL 2009 Conference on Digital Forensics, Security and Law
 
|May 20-22<br>Burlington, VT
 
|http://www.digitalforensics-conference.org
 
|-
 
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
 
|May 22<br>Oakland, CA
 
|http://conf.ncku.edu.tw/sadfe/sadfe09/
 
|-
 
|LayerOne 2009 Security Conference
 
|May 23-24<br>Anaheim, CA
 
|http://layerone.info/
 
|-
 
|Mobile Forensics World 2009
 
|May 26-30<br>Chicago, IL
 
|http://www.mobileforensicsworld.com
 
|-
 
|2009 Techno Security Conference
 
|May 31-Jun 03<br>Myrtle Beach, SC
 
|http://www.techsec.com/index.html
 
|-
 
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
 
|Jun 14-18<br>Dresden, Germany
 
|http://www.ieee-icc.org/2009/
 
|-
 
|Blackhat USA 2009
 
|Jul 25-30<br>Las Vegas, NV
 
|https://www.blackhat.com/
 
|-
 
|DefCon 17
 
|Jul 31-Aug 02<br>Las Vegas, NV
 
|http://www.defcon.org/
 
|-
 
|Usenix Security Sypmosium
 
|Aug 10-14<br>Montreal, Quebec, Canada
 
|http://www.usenix.org/events/sec09/
 
|-
 
|Digital Forensic Research Workshop
 
|Aug 17-19<br>Montreal, Quebec, Canada
 
|http://www.dfrws.org
 
|-
 
|Triennial Meeting of the European Academy of Forensic Science
 
|Sep 08-11<br>Glasgow, Scotland, UK
 
|http://www.eafs2009.com/
 
|-
 
|Hacker Halted USA 2009
 
|Sep 20-24<br>Miami, FL
 
|http://www.hackerhalted.com/usa
 
|-
 
|}
 
  
== On-going / Continuous Training ==
+
==Big Programming Projects==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Develop a new carver with a plug-in architecture and support for fragment reassembly carving (see [[Carver 2.0 Planning Page]]).
|- style="background:#bfbfbf; font-weight: bold"
+
* Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==See Also==
+
* Correlation Engine:
* [[Scheduled Training Courses]]
+
** Logfile correlation
==References==
+
** Document identity identification
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
** Correlation between stored data and intercept data
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
** Online Social Network Analysis
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
* Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
 +
** Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
 +
** Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login
 +
 
 +
=Reverse-Engineering Projects=
 +
==Reverse-Engineering Projects==
 +
* Reverse the on-disk structure of the [[Extensible Storage Engine (ESE) Database File (EDB) format]] to learn:
 +
** Fill in the missing information about older ESE databases
 +
** Exchange EDB (MAPI database), STM
 +
** Active Directory (Active Directory working document available on request)
 +
* Reverse the on-disk structure of the Lotus [[Notes Storage Facility (NSF)]]
 +
* Reverse the on-disk structure of Microsoft SQL Server databases
 +
* Add support to SleuthKit for [[XFAT]], Microsoft's new FAT file system.
 +
* Add support to SleuthKit for [[Resilient File System (ReFS)|ReFS]].
 +
* Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
 +
* Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
 +
* Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see [[NTFS]])
 +
 
 +
==EnCase Enhancement==
 +
* Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)
 +
 
 +
= Timeline analysis =
 +
* Mapping differences and similarities in multiple versions of a system, e.g. those created by [[Windows Shadow Volumes]]
 +
 
 +
=Research Areas=
 +
These are research areas that could easily grow into a PhD thesis.
 +
* General-purpose detection of:
 +
** Stegnography
 +
** Sanitization attempts
 +
** Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
 +
* Visualization of data/information in digital forensic context
 +
* SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;
 +
 
 +
 
 +
 
 +
__NOTOC__

Revision as of 09:27, 23 August 2012

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is our list. Please feel free to add your own ideas.

Many of these would make a nice master's project.

Programming Projects

Small-Sized Programming Projects

  • Modify bulk_extractor so that it can directly acquire a raw device under Windows. This requires replacing the current open function call with a CreateFile function call and using windows file handles.
  • Rewrite SleuthKit sorter in C++ to make it faster and more flexible.

Medium-Sized Programming Projects

  • Create a program that visualizes the contents of a file, sort of like hexedit, but with other features:
    • Automatically pull out the strings
    • Show histogram
    • Detect crypto and/or stenography.
  • Extend fiwalk to report the NTFS alternative data streams.
  • Create a method to detect NTFS-compressed cluster blocks on a disk (RAW data stream). A method could be to write a generic signature to detect the beginning of NTFS-compressed file segments on a disk. This method is useful in carving and scanning for textual strings.
  • Write a FUSE-based mounter for SleuthKit, so that disk images can be forensically mounted using TSK.
  • Modify SleuthKit's API so that the physical location on disk of compressed files can be learned.


Big Programming Projects

  • Develop a new carver with a plug-in architecture and support for fragment reassembly carving (see Carver 2.0 Planning Page).
  • Write a new timeline viewer that supports Logfile fusion (with offsets) and provides the ability to view the logfile in the frequency domain.
  • Correlation Engine:
    • Logfile correlation
    • Document identity identification
    • Correlation between stored data and intercept data
    • Online Social Network Analysis
  • Find and download in a forensically secure manner all of the information in a social network (e.g. Facebook, LinkedIn, etc.) associated with a targeted individual.
    • Determine who is searching for a targeted individual. This might be done with a honeypot, or documents with a tracking device in them, or some kind of covert Facebook App.
    • Automated grouping/annotation of low-level events, e.g. access-time, log-file entry, to higher-level events, e.g. program start, login

Reverse-Engineering Projects

Reverse-Engineering Projects

  • Reverse the on-disk structure of the Extensible Storage Engine (ESE) Database File (EDB) format to learn:
    • Fill in the missing information about older ESE databases
    • Exchange EDB (MAPI database), STM
    • Active Directory (Active Directory working document available on request)
  • Reverse the on-disk structure of the Lotus Notes Storage Facility (NSF)
  • Reverse the on-disk structure of Microsoft SQL Server databases
  • Add support to SleuthKit for XFAT, Microsoft's new FAT file system.
  • Add support to SleuthKit for ReFS.
  • Physical layer access to flash storage (requires reverse-engineering proprietary APIs for flash USB and SSD storage.)
  • Modify SleuthKit's NTFS implementation to support NTFS encrypted files (EFS)
  • Extend SleuthKit's implementation of NTFS to cover Transaction NTFS (TxF) (see NTFS)

EnCase Enhancement

  • Develop an EnScript that allows you to script EnCase from Python. (You can do this because EnScripts can run arbitrary DLLs. The EnScript calls the DLL. Each "return" from the DLL is a specific EnCase command to execute. The EnScript then re-enters the DLL.)

Timeline analysis

  • Mapping differences and similarities in multiple versions of a system, e.g. those created by Windows Shadow Volumes

Research Areas

These are research areas that could easily grow into a PhD thesis.

  • General-purpose detection of:
    • Stegnography
    • Sanitization attempts
    • Evidence Falsification (perhaps through inconsistency in file system allocations, application data allocation, and log file analysis.
  • Visualization of data/information in digital forensic context
  • SWOT of current visualization techniques in forensic tools; improvements; feasibility of 3D representation;