Choosing a topic

Here you can choose and propose a topic for your seminar. To do that:

• If a topic for your seminar has already been approved by your teachers previously, you don't have to choose a new topic in this activity, just submit the seminar on the topic you already got in this seminar submission activity
• Read the list of topics below and find one that interests you. Make sure to check if:
  • a topic similar to the one that interests you already been taken previously (in 2016/2017 or 2017/2018 or 2018/2019)?
  • a topic similar to the one that interests you already been taken this year (the list of all topics already registered this year)?
• If you answered any of the previous questions positively, think about what new or different can you write about that topic or choose another one.
• Register your topic by clicking Answer the questions… link on the page bottom.
• After your topic proposal has been reviewed, you will get feedback on whether your topic has been approved or not in this page. If your proposal gets rejected, you can make a new one using the same procedure.

Topic proposal deadline is .

[Multiple topics] means that sudents can propose a topic that was not previously analyzed and fits the description.

• Recovering deleted files through file system artifacts, without file carving
• [Multiple topics] Analysis of a file format from a forensics perspective
• [Multiple topics] Analysis of a file system from a forensics perspective

• [Multiple topics] Tor network, eg. Tor network in general, hidden services - current version, next generation hidden services, Tails, Whonix…
• [Multiple topics] Analysis of a network protocol from a forensics perspective

• [Multiple topics] Techniques for unlocking locked Android/iOS/Blackberry… devices
• [Multiple topics] Techniques of data acquisition/extraction from Android/iOS/Blackberry… devices
• [Multiple topics] Analysis of forensic artifacts left by commonly used smartphone applications (eg. WhatsApp, Facebook…) eg. which data does the application leave on the smartphone, how are they stored, how to access them, how to interpret them…

• Safe storage of computer forensics clues
• [Multiple topics] A topic from a related discipline: incident response, cyber threat intelligence, threat hunting…
• [Multiple topics] RAM forensics for Mac/Linux (desktop/server)/Android/iOS
• [Multiple topics] Analysis of a computer forensics tool

• A student simulates an activity that is interesting from a computer forensics perspective (eg. a malware infection), and then performs a step by step investigation, describes clues etc.
• Interesting activities: malware infections, network attacks, malicious user behaviour (eg. deleting/editing important files)…
• Example: Case study - forensic analysis of a computer infected with Locky ransomware
• A student starts a virtual machine, infects it with Locky ransomwarem, creates a memory dump, disk image and records network traffic and then uses them for a forensic analysis while explaining clues left by the ransomware.
• Eg. “this is the network traffic of Locky communicating with the C&C server to receive the encryption key, this is the Locky process (in the memory dump), its PID is <pid>, at the moment of memory dump it had <the following files> open, <this> is the Locky executable file (on disk)” etc.
• And in the end, conclusions based on found clues - at 12:35 the ransomware was started, at 12:37 it started encrypting files (file abc.doc was encrypted first), at 12:40 the encryption process has ended and the ransom note was shown…
• Ideas for specific clues can be found in write-ups such as this one: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
• Of course it is not necessary to do reverse engineering or deep analysis.
• Important - caution is required when handling malware so you don't infect your own computer. It is necessary to have backups of all important data and to only run mawlare in “clean” virtual machines (where you didn't log in to any websites and you have no files there etc.)

• It has to be at least marginally related to computer forensics, like other topics

• It is possible to choose a previously analyzed topic under the strict condition that your work is an upgrade of the previous work - it is necessary to add new and potentially correct old, incorrect information so that the total amount of work is equivalent to making a seminar for a new topic