Final year project ideas

Hello,
I’m doing a final year project related to cyber security & forensics. My initial ideas were to create a intrusion detection system or a honeypot but I think they are a little bit out of my league as I am a noob and doing the project alone. A project that has something to do with cryptography and blockchain would be interesting but nothing came to mind.
Do you guys have ideas for a project or maybe you guys did a project for your bachelor’s degree that might be of interesting?
Appreciate any kind of help.

I dont know anything about blockchain (other than its the source of 95% of scams) and crypto is (IMHO) hard.

I wouldn’t give up on the honeypot idea - have a look at this one in Docker GitHub - ciscocsirt/dhp: Simple Docker Honeypot server emulating small snippets of the Docker HTTP API

From a professional point of view, forensics would be a good way to go. Volatility 3 has made some significant changes in how memory is analysed but there is still a gap in how the tooling meshes together.

Additionally there is always more research needed in how Windows Application Compatability Cache stores data (amcache.hve structures), in how we can tie together evidence of execution (prefetch, shimcache etc) between volatile storage and disk storage.

Away from windows, simplifying mounting LVM2/APFS images on a windows host would be genuine magic.

@TazWake
Why I’m thinking about Honeypots is it’s an interesting project and even whit my limited/weak programming and overall IT skills I would enjoy doing the project even if I wouldn’t create a good product, I would still learn something (tho afraid not to finish it on time but I have aprox 7-8 months). Going to do more research in the mean time.

Having a hard time understanding Volatility 3 other than it’s a memory forensics tool
so thinking how I might approach it.

Other ideas are a bit out of my league xd
but they are genuine great ideas that would give me a high mark (not to mention the knowledge I would gain).

OK - then the focus should be on something you find interesting which you also feel you have the skills to do.

I don’t think learning something brand new from scratch would be a good move, so look back on the things you have done - what has really motivated you?

I promise pretty much anything you can think of has space for someone to develop something new.

My IT journey only started a couple of years ago so my skill set is pretty limited, don’t mind learning something new although it might take away a lot of time (but I’m jobless atm so it might work out).

I really enjoyed the security aspect of computing: physical, network security, exploitation and defence methods and etc.
Also liked doing forensic work, investigating computer systems and data, gathering possible evidence and that sort of thing.

OK - so forensics-wise, the main pain points are understanding modern windows Application Compatability Cache stores - they change, get compressed etc with each new windows build.

Or you could look at some way to automatically build linux memory profiles.

Type your comment> @TazWake said:

I dont know anything about blockchain (other than its the source of 95% of scams) and crypto is (IMHO) hard.

I wouldn’t give up on the honeypot idea - have a look at this one in Docker GitHub - ciscocsirt/dhp: Simple Docker Honeypot server emulating small snippets of the Docker HTTP API

From a professional point of view, forensics would be a good way to go. Volatility 3 has made some significant changes in how memory is analysed but there is still a gap in how the tooling meshes together.

Additionally there is always more research needed in how Windows Application Compatability Cache stores data (amcache.hve structures), in how we can tie together evidence of execution (prefetch, shimcache etc) between volatile storage and disk storage.

Away from windows, simplifying mounting LVM2/APFS images on a windows host would be genuine magic.

I had no idea you could pull artifacts from volatile memory. How does that even work? RAM has no way to store anything and isn’t that the whole purpose of metasploits meterpreter to run on ram and stay undetectable from forensic analysis? Why bother developing the tool if there’s already a counter for it.

@LMAY75 said:

I had no idea you could pull artifacts from volatile memory. How does that even work? RAM has no way to store anything and isn’t that the whole purpose of metasploits meterpreter to run on ram and stay undetectable from forensic analysis? Why bother developing the tool if there’s already a counter for it.

Everything that happens on a computer traverses the RAM. A lot of offensive tooling is developed by people who don’t know what forensic traces it will leave.

Nothing is perfect (and forensics is an art as much as it is a science) but you cant do anything on a computer without leaving traces somewhere.

If you have a memory image you can pretty much recreate the entire filesystem (you cant recover every file though). The registry and significant artifacts that attackers/pentesters think they have deleted reside in RAM, often only written to disk on shutdown.

Meterpreter is a very noisy tool from a forensic point of view.

Type your comment> @TazWake said:

@LMAY75 said:

I had no idea you could pull artifacts from volatile memory. How does that even work? RAM has no way to store anything and isn’t that the whole purpose of metasploits meterpreter to run on ram and stay undetectable from forensic analysis? Why bother developing the tool if there’s already a counter for it.

Everything that happens on a computer traverses the RAM. A lot of offensive tooling is developed by people who don’t know what forensic traces it will leave.

Nothing is perfect (and forensics is an art as much as it is a science) but you cant do anything on a computer without leaving traces somewhere.

If you have a memory image you can pretty much recreate the entire filesystem (you cant recover every file though). The registry and significant artifacts that attackers/pentesters think they have deleted reside in RAM, often only written to disk on shutdown.

Meterpreter is a very noisy tool from a forensic point of view.

Very interesting… are there any good resources to check out if I wanted to learn more about forensics?

@LMAY75 said:

Very interesting… are there any good resources to check out if I wanted to learn more about forensics?

A difficult question to answer - it is a very broad area of knowledge. I wouldn’t know where to suggest you start.

It genuinely depends on what you already know. The resources tend to be split by OS and between disk and memory forensics as they all tend to need different tools and different understanding.

There are a lot of DFIR blogs but they tend to be more focussed on developing new ideas than providing a grounding. Some of the core disk forensics for NTFS haven’t changed for 20 years so you’d need to dig into some old material to find stuff. Almost all my training on this has come from formal courses.

Going back to the point about meterpreter though there is almost no way it can be stealthy. It generates executables/services and processes which tend to have strings of 8 characters for the name - few things stand out to the human eye as quickly as a process list with hfUdiblk.exe running.

Process execution and service creation get captured in the windows event logs so it is trivial to find this even after the process has executed.

Windows has two systems which monitor executables - prefetch and shimcache. Both analyse files they find and store data in the registry (including timestamps, path, command line, dlls loaded etc). All of this data is also stored in RAM (volatility plugins shimcachemem and prefetchparser are useful but so are a lot of others), the registry is stored in RAM so you can also query the key directly.

Then there is all the other stuff you can use such as checking the file system for the temporary data it uses, the links to shared libraries it needs etc.

From a DFIR perspective, it is mildly amusing when people claim attacks are “fileless malware” because they leave files all over the target system.

@TazWake
I’ve been reading a bit on honeypots and IDS, the topic is interesting for me but I can’t figure out what should I do that can be new and everything that comes to mind is to complicated for me. The ideas:
1.Deploying a honeypot system on a Cloud (this is already done but thinking how it could be improved)
2. This one I’m still thinking but don’t know how to approach it and there isn’t a lot of material on the web: Reducing cost of honeypot deployment.
3. This one is interesting because I haven’t seen anyone do this and only found a book that talks about it: Honeypots in a nested virtual environment
4. Honeypot with an IDS (this is already done). Was thinking creating like a tripwire program with wireshark that trips on anything and combining with a honeypot but this idea isn’t new.
Found a bunch of honeypots that could be used:

Automatically building linux memory profiles and understanding modern windows Application Compatability Cache stores seem like interesting ideas and would benefit me in the long run but I’m not sure if I’ll be able to do them.

@ap4y said:

@TazWake
I’ve been reading a bit on honeypots and IDS, the topic is interesting for me but I can’t figure out what should I do that can be new

Anything you do will be new because it will be your take on it. Dont worry too much at this stage about inventing something no one has ever thought of before - largely because that is close to impossible.

Facebook wasn’t new (MySpace?), Slack isn’t new (IRC?), even Next-Gen-Machine-Learning-AI-Hunting tools like DarkTrace aren’t new, they rely on existing ideas with a different take.

and everything that comes to mind is to complicated for me.

If you have a big, complicated, idea you can try to break it down into bite sized chunks. Then you only need to solve one problem at a time, not all the problems at once.

The ideas:
1.Deploying a honeypot system on a Cloud (this is already done but thinking how it could be improved)
2. This one I’m still thinking but don’t know how to approach it and there isn’t a lot of material on the web: Reducing cost of honeypot deployment.
3. This one is interesting because I haven’t seen anyone do this and only found a book that talks about it: Honeypots in a nested virtual environment
4. Honeypot with an IDS (this is already done). Was thinking creating like a tripwire program with wireshark that trips on anything and combining with a honeypot but this idea isn’t new.
Found a bunch of honeypots that could be used:
GitHub - paralax/awesome-honeypots: an awesome list of honeypot resources

They are all good ideas.

Seriously, dont think too much about “new” think more about how you can create it your way.

Automatically building linux memory profiles and understanding modern windows Application Compatability Cache stores seem like interesting ideas and would benefit me in the long run but I’m not sure if I’ll be able to do them.

Ok - a lot will depend on how much time you have to research and learn new things as well as building the tool, so it might make sense to start on something you are more comfortable with right now.

The honeypots are all good ideas.

@TazWake @sparkla Thank you, and you guys are right, I need to think smaller and break it down. Another idea came to mind; making honeypots more attractive to regular, non-techie users. In could be beneficial in the long run because if more people used honeypots, more information could be gathered, more vulnerabilities could be identified and etc. But privacy might be an issue…

Anyways, I have 10 days left to submit my project proposal so trying to figure out what can I do and if I could do it.

A friend suggested to make a free wifi hotspot and gather information from people that just blindly connect to it and make a report of my findings and etc. Sound pretty neat and really simple.

All good ideas.

@sparkla i’m not thinking about using the gathered information for malicious intent.
It doesn’t matter if it’s legal or not, what matters is not getting caught xd

Type your comment> @ap4y said:

@sparkla i’m not thinking about using the gathered information for malicious intent.
It doesn’t matter if it’s legal or not, what matters is not getting caught xd

I would not suggest using that as a project if you don’t want to get caught

Also that is like very illegal

It’s for the sake of knowledge, identifying vulnerabilities and designing countermeasures for possible future attacks. I understand where you coming from guys I could just get consent from family members and friends and intercept and monitor their traffic and work with that.
It’s an interesting topic and with wireless networks growing more people will be vulnerable to attacks