CCS 2006


[ Tutorial I || Tutorial II || Tutorial III ]

Tutorial I

Digital Forensics: Research Challenges and Open Problems

Tuesday, October 31, 2006
14:00 - 15:30

Speaker: Dr. Yong Guan, Department of Electrical and Computer Engineering, Iowa State University


The possibility of becoming a victim of cyber crime is the number one fear of billions of people. It is clear that we need better IT technology and training to properly secure our cyber infrastructure and engender appropriate trust in its operation and fidelity. But that, by itself, is not enough. Even if we were able to build and deploy highly-robust computing systems, there would still be threats from unexpected interactions and failures, and from users with privileged access but with improper training and/or untoward motives. We need to have reliable tools and methods for investigation when an untoward event occurs, both to fix any collateral damage and to identify the causes. We also need to support a credible deterrent based on the threat of discovery and action ranging from administrative discipline to legal proceedings. Underlying all of that, we need a sound scientific foundation so that we have confidence in our results to identify the real causes and not to mistakenly accuse any innocent parties. The science, technology and practice that encompass all of these concepts for cyber crime investigation are generally known as Digital Forensics. To date, this emerging field of digital forensics has been plagued by a lack of fundamental research and theory, ad hoc and independent tool development, and few formal standards.

There are several technical challenges that must be addressed for digital forensics. Many of these challenges relate to establishing a sound scientific foundation and developing practical techniques for investigating cyber crimes. This tutorial is designed to introduce essential digital forensics concepts, lay down the technological challenges and important research problems, and describe how the research community is addressing them. We will explore the issues associated with both computer forensics and network forensics, and at the end, will discuss a few important open problems in the field. We hope this tutorial could introduce digital forensics to and bring more attention and interests from a wider community of security researchers and practitioners. We also hope to motivate more young students to work in this field, and seek scientists, engineers, practitioners, educators, and others who have insight and vision on and understanding of the technical and social challenges in digital forensics field to shape the research agenda over the next one or two decades.


The intended audience includes students and faculty in universities interested in study and research in digital forensics, law enforcement practitioners, industry researchers and developers interested in research and development of digital forensic products, systems, and applications. Basic operating systems and networking knowledge is assumed.
  • Introduction: Motivation, Goals, and History
  • Digital Evidence Principles and Procedures
  • Evidence Collection and Analysis
  • File System Analysis
  • Memory Imaging
  • OS-level Logging and Hardware-assisted Program Flow Monitoring
  • Automated Analysis
  • Attack Attribution
  • Stepping Stone Attack Attribution and IP Traceback
  • Tracing Botmasters and Anonymous VoIP Calls
  • Multimedia Forensics
  • Network Surveillance
  • Metrics and Methodologies for Forensic Tools Development and Testing
  • Open Problems and Research Challenges

Speaker Biography:

Dr. Yong Guan is currently an Assistant Professor in the Department of Electrical and Computer Engineering at Iowa State University. He is affiliated with the U.S. DoE Ames Lab's Midwest Forensics Resource Center and the Iowa State University's NSA-designated Information Assurance Center. He received his BS (1990) and MS (1996) in Computer Science from Peking University, China, and his PhD (2002) in Computer Science from Texas A&M University. His research interests are computer networks and distributed systems, with focuses on security issues, including computer and network forensics, wireless and sensor network security, and privacy-enhancing technologies for the Internet. He co-chaired the Computer and Network Forensics Research Workshop (CNFR 2005), which was held in conjunction with IEEE SecureComm 2005. He received the best student paper award from the IEEE National Aerospace and Electronics Conference in 1998 and won the 2nd place in graduate category of the Int'l ACM student research contest in 2002. He is a member of ACM and IEEE, and a member of IFIP TC-11 WG 11.9: Digital Forensics.

For more information, please visit his web page:


Tutorial II

Xen Worlds: Xen and the Art of Security Education

Wednesday, November 1, 2006
11:00 - 12:30

Speakers:Dr. Thomas Daniels and Benjamin Anderson, Department of Electrical and Computer Engineering, Iowa State University


We will present the Xen Worlds project, an effort to create a versatile "virtual lab" where each student can be provided root access to their own network of virtual machines, (a Xen World), with the Xen World being accessible 24/7 access via SSH. This approach makes it possible for students to turn-in a single virtual machine, or their entire network, as the finished product, and allows for grading to occur directly on those machines instead of grading a few select artifacts such as configuration files, programs or outputs. In addition to providing the virtual lab environment, the Xen Worlds project is tailored to the requirements and phases of the assignment life-cycle, and ensuring ease-of-use for the instructor and students.

Xen Worlds is relatively inexpensive to implement, with no software costs, due to the use of open source software, and low hardware costs, due to the efficiency of the Xen virtual machine monitor. The entire cost of our Xen Worlds cluster is under US$7,000 and, with Fedora as the virtual machine OS, allows over 300 VMs to be run simultaneously. However, it is also possible to implement a smaller-scale solution, as a single desktop computer could potentially run 30 to 50 virtual machines simultaneously.

The tutorial will introduce and discuss the general aspects of the Xen Worlds project, but will focus on the increased possibilities for assignments, and the ease of use for both the instructor and students. Specifically, the tutorial will cover:
  • Advantages and limitations of the Xen Worlds environment.
  • Assignments that have utilized the Xen Worlds environment.
  • Design and configuration of a Xen World.
  • Creation of Xen Worlds for multiple students.
  • Instructor and student interfaces to the Xen Worlds environment.
  • Evaluation of the assignment.

To illustrate these points, the tutorial will focus on a simple assignment that can be given to introduce students to the Xen Worlds environment. This will include a demonstration of the design, configuration and creation of the Xen Worlds, and a demonstration of the interfaces used to access the Xen Worlds environment.

This tutorial is aimed at educators interested in expanding the diversity of assignments that can be given, and researchers interested in creating virtual networks consisting of fully functional virtual machines. A familiarity with a Linux environment is assumed, but no in-depth knowledge of the operating system is required. Educators and researchers from diverse areas should find something to take away from this tutorial.

The most important benefit that attendees will gain from this tutorial is the exposure to a new environment that can immediately be used for academic and research purposes, with minimal implementation and administration costs.

Speakers' Biographies:

Dr. Thomas E. Daniels is an Assistant Professor in the Department of Electrical and Computer Engineering at Iowa State University in Ames, Iowa. Tom received his Doctorate in Computer Science from Purdue University under the advisement of Eugene H. Spafford. He did his graduate work at Purdue, initially in the Computer Operations, Audit, and Security Technology (COAST) Lab and then in the Center for Education and Research in Information Assurance and Security (CERIAS). More information is available at:

Benjamin Anderson is a Ph.D. student in Computer Engineering at Iowa State University studying under Dr. Tom Daniels. Ben received his B.Sc. in Computer Science from Iowa State University in 2000, and worked at Motorola, Inc. as a Senior Software Engineer until returning to Iowa State in 2003 to begin his graduate studies. Ben's research interests are in the areas of intelligent attack agents and educational applications of virtualization.


Tutorial III

Cryptographic Protection for Networked Storage Systems

Thursday, November 2, 2006
08:30 - 10:30

Speaker: Christian Cachin, IBM Zurich Research Lab



Storage systems have undergone a tremendous evolution over the last years. Today, storage space is typically provided by complex networked systems, in which clients communicate with storage servers over a network. In the near future, networked storage systems will extend beyond the server room, and their security will become a prime concern. Most data storage systems will soon rely on cryptographic protection methods as a key technology.

Protecting "data at rest" in storage systems poses new challenges compared to protecting "data in flight", which has been the focus of communication security for some time and is well understood today. One notable difference between these two problems is that a communication channel typically uses a streaming interface with FIFO characteristic, whereas a storage system must provide random access to small portions of the stored data. New techniques are needed for providing security in this context, in particular for protecting the integrity of stored data efficiently and for key management.

Methods for cryptographic storage protection have been investigated for some time already, and some have been available in practice, like hard-disk and whole file-system encryption. Concerns about the involved overhead has so far prevented their pervasive use in distributed storage systems. But privacy regulations that have recently been introduced mandate encryption for certain environments; this explains why the industry is actively working on strong cryptographic protection methods for data storage systems.

Topics of the tutorial:
  • Layers of storage systems: blocks, inodes, files
  • Security mechanisms appropriate for particular layers
  • Cryptographic protection methods for data-at-rest versus data-in-flight
    • Encryption modes
    • Integrity protection with Merkle hash trees
  • Key management for storage systems with lazy revocation
The focus will be on recently developed methods for encryption, integrity protection, and access control that use strong cryptography for securing storage systems, in particular for block storage systems and distributed file systems.

Background material for this tutorial (see
  1. Security in storage networks: A current perspective. ZISC Information Security Colloquium, ETH, Zurich, Zurich, Nov. 2004.
  2. M. Backes, C. Cachin, and A. Oprea. Lazy Revocation in Cryptographic File Systems, in Proc. 3rd Intl. IEEE Security in Storage Workshop, San Francisco, Dec. 2005.
  3. M. Backes, C. Cachin, and A. Oprea, Secure key-updating for lazy revocation, Research Report RZ 3627, IBM Research, Aug. 2005.

Speaker Biography:

Christian Cachin graduated with a diploma in Computer Science from ETH Zurich (1993) and obtained his Ph.D. in Computer Science from ETH Zurich in 1997. From 1997 to 1998 he was postdoctoral researcher at the MIT Laboratory for Computer Science, with Prof. Ron Rivest, one of the inventors of public-key cryptography. He has been a Research Staff Member at IBM Zurich Research Lab since 1998, where he was involved in a number of projects in security and distributed systems.

He has authored many publications in the areas of cryptology and distributed systems, holds several patents on secure protocols and cryptographic algorithms, and has been a frequent member of program committees of technical conferences. He is a Director of the International Association for Cryptologic Research (IACR). Together with Jan Camenisch he was program chair and organized Eurocrypt 2004. His current research interests are cryptography, network security, fault tolerance and distributed systems.