COEN 152/252
Class Project

Done in groups. The number of members in a group determines the needed level of success. Presentation due last day of class. If time permits, you get to present your results in class.


1. Web-based Email Characteristics

Preconditions: You need to get people in different countries to send you email from several web-accounts and send you copies of email headers that they received.

Project: Email servers insert characteristic elements in an email header. You are to create a list of these pecularities. The number of free email sites (hotmail, yahoo, gmail, ...) and the number of countries used will depend on the group size.

2. Yahoo Messenger Decryption

Preconditions: C-programming with bit-manipulations. Installing and running Yahoo messenger.

Project: Yahoo messenger stores past chats in an archive. The contents of the archive are encrypted using the handle of the chat partner as the key. The encoding is weak and documented in a number of websites. You are to write an archive decoder. (There is shareware available that you can try out as a prototype.)

3. Commercial Wiping Products

Preconditions: Cash (for acquiring file wiping software), desktop machine to play with.

Project: A number of commercial "secure file deletion" or wiping tools exist. However, while the better ones delete the file so that it cannot be recovered by normal hard drive operations, they still leave traces, so that a forensics examiner can determine that wiping software was used to delete a file and what type of software was used. You are to investigate a single product of your choice on an OS of your choice. You should determine the working of the software on a floppy or USB drive as well as on a file on a hard-drive. (Of course, for scientific objectivity, you need to repeat the procedure. If your group is large, then you might want to test it on more than one platform or you might want to test different products. You'll get access to FTK for the testing of your disks.

4. Packet Sender

Preconditions: Lots of time. Capacity to do systems programming.

Project: Generate a GUI that allows to send arbitrary packages on a platform of your choice. Validate your program with Ethereal.

5. Date File Changer

Precondition: Need a hex viewer on a windows NTFS system.

Project: Tools such as timestomp change the MAC time stamps on a Windows system. Install one or two of these programs on a Windows NTFS system and check whether they indeed change all timestamps.

6. Parameter Block Analysis Tools

Project: Structures such as the Bios Parameter Block or the Partition Table in the MBR, NTFS MFT entries etc. have a well-defined structure. Develop a tool that parses them automatically. (Unless you really like a challenging project, do not plan on opening up the structure you are investigating programmatically but rather have a string input or file input interface.)

7. Understanding Registry Entries

Project: Select a forensically important area of the registry and do experiments in order to document the behavior of a given set of registry entries.

Web Browser History File

Project: IE 6 allowed a user to clear the history file, but retained information about browsing history in auxiliary files. Certify three webbrowsers for Windows, Mozilla, Safari, and IE, to not retain history data after the user has cleared the history. You will need a tool that logs file system calls in order to ascertain which system files are changed when browsing. Once you have determined the files used by the browser, you need to do an analysis of the changes introduced by the "clear history" file.

2009 Thomas Schwarz, S.J., COEN, SCU SCU COEN COEN252 T. Schwarz
These documents are not intended for dissemination beyond SCU.        CAVEAT LECTOR