Classroom Public page

RE-011 Week 14: Capstone Delivery

834 words

Report submission, brief oral summary, and the bridge to RE-101 and the courses beyond. This week is delivery, not new content.

Reading

No new reading this week. Use any reading time to polish the capstone report.

Lecture outline (~1 hr)

Part 1: Capstone report expectations (20 min)

The capstone report (see labs/lab-9-capstone.md and CAPSTONE.md for the full specification) is a structured static analysis report. The deliverable is:

  • A Git repository with at least 3 commits (showing work over time, not a single commit dump).
  • report.md: the main analysis report, 5-8 pages.
  • A section diagram or annotated screenshot of the binary's key finding in Ghidra.
  • At least two primary sources cited (the firmware download page, a CVE or prior advisory, a datasheet or reference manual if used).

The report sections:

  1. Target overview (device, firmware version, extraction method)
  2. Binary analysis (which binary, architecture, stripped/unstripped, key imports)
  3. Findings (what you found, with evidence: function names, addresses, strings, Ghidra screenshots)
  4. Comparison to prior work (how your analysis relates to any prior CVE or advisory on the same device)
  5. What would be next (what you would analyze next if this were an engagement, what dynamic analysis would add, what RE-101 would do differently)
  6. Tooling narrative (which tools, in which order, what each one contributed)

Section 3 is the graded core. A report that identifies a real salient finding (a hardcoded credential, a dangerous function call, an outdated library version) with specific evidence scores higher than one that reports "the binary appears to handle web requests" without evidence.

Part 2: Oral summary (20 min)

Each student presents a 5-minute oral summary of their capstone (can be informal, not a polished slide deck):

  • What is the device and why did you choose that binary?
  • What did you find?
  • What was the hardest part of the analysis?
  • What would you do next?

The oral summary is not separately graded; it is a check that the student understands their own report. A report that the student cannot explain verbally raises questions about authorship and depth.

Part 3: Forward pointers -- where these skills go (20 min)

RE-011 ends here. The skills you have built go in four directions:

RE-101 (Reverse Engineering I): The Motorola SB6141 cable modem is the RE-101 lab target. RE-101 adds physical access (UART, JTAG), firmware extraction from hardware (rather than downloading from the manufacturer), and vulnerability research (not just finding, but understanding exploitability). The static analysis skills from RE-011 (Ghidra navigation, assembly reading, firmware teardown) are the prerequisite; RE-101 assumes you have them.

ADV-101 (Adversarial Analysis I): Malware analysis. ADV-101 takes the dynamic analysis skills from Week 9 and the anti-RE recognition from Week 10 and applies them to binaries that were not designed to be analyzed -- malware samples in sandboxed environments. The MITRE ATT&CK vocabulary from SEC-101 becomes the reporting framework.

ADV-102 (Adversarial Analysis II): Advanced dynamic analysis: unpacking pipelines, emulation-based analysis (Unicorn, qiling), sandbox evasion detection. The anti-RE recognition from Week 10 is the direct prerequisite; ADV-102 covers active bypasses at a level RE-011 does not.

RE-201 (Reverse Engineering II): Firmware extraction from live hardware (JTAG, UART, SPI flash read). The firmware teardown methodology from Week 12 is the direct prerequisite; RE-201 adds the physical access layer that RE-011 deliberately excluded.

The skills compound. Every course in the track builds on what came before. RE-011 is the foundation.

Lab exercises (~3 hr)

Lab 9: Firmware analysis capstone

See labs/lab-9-capstone.md and CAPSTONE.md for the full specification and grading rubric.

Submit your Git repository URL to the instructor. The repository must have at least 3 commits before submission. The report must be in Markdown format (report.md).

Independent practice

No independent practice this week beyond finishing the capstone. Use any remaining time to:

  • Re-read your report for clarity and accuracy.
  • Verify that your Git repository has 3+ commits and the repository structure matches the spec.
  • Write your final Tool Journal entry: a summary of the tools you used across 14 weeks, in what order you would use them if you were starting a new analysis today, and one thing you wish you had learned earlier in the course.

Reflection prompts (optional, for the Tool Journal)

  1. At the start of Week 1, you had not seen a hex editor, had not read assembly, and had not loaded a binary into Ghidra. Describe the moment in the course where binary analysis started to feel tractable rather than foreign. What caused the shift?

  2. The course posture was "read first, run second, never guess." In Week 14, looking back: how well did you maintain that posture? When did you deviate from it, and why? Was the deviation ever justified?

  3. RE-011 deliberately did not cover exploit development, malware analysis, or live hardware extraction. Which of the three feels most immediately interesting to you after 14 weeks, and why? What is the next course you would take?

Week 14 of 14. RE-011 complete. Forward: RE-101 (SB6141 lab target), ADV-101 (malware analysis), ADV-102 (advanced dynamic), RE-201 (hardware extraction).