EE547 Digital Forensics

Schedule

Wed 13h00-15h00, s4214 (lecture)
Wed 15h00-16h00, s4126 (labo)

Lab report submission

Lab reports are to be submitted prior to the beginning of the next lab. Work submitted late will be subject to a 25% penalty per day unless an arrangement has been made with the instructor prior to the due date.

You must complete and submit all your laboratories in order to pass the course.

Resources

Some useful resources to supplement the lecture material (see the Course Description page to get the list of mandatory textbooks)

  • B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  • M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.
  • Harlan Carvey, "Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8", 4th Edition, Syngress, 210, 350 p.

 

Wk

Date

Lectures

References

Others

Laboratories

1

12 Sep

Intro to digital forensics

Carrier §1-3

 

Lab 1 - Intro to X-Ways

(Resources and Disk image)

2

19 Sep

Volumes and partitions

Carrier §4-6

 

Lab 2 - Volumes and Partitions

(Disk images, Ubuntu 16.04)

3

26 Sep

Volumes and partitions (con't)

Carrier §6-7

   

4

3 Oct

FAT32 file system

Carrier §8-10

 

Lab 3 - FAT32

(Disk image)

5

10 Oct

NTFS file system

Carrier §11-13

 

Lab 4 - NTFS

(Disk image)

6

17 Oct

Windows

Carvey

 

 

7

24 Oct

Windows (con't)

Carvey

 

Lab 5 - Windows 10

(VM and poster)

8

31 Oct

Windows Objects

Ligh §1, 3-5

Topic selection for students' presentations

Lab 6 - Memory forensics

9

7 Nov

Process, handles and tokens

Ligh §6

 

 

10

14 Nov

Process memory internals

Ligh §7-8

 

Lab 7 - TBD

(due on 28 Nov at 13h00)

11

21 Nov

Logs, registry, network and services

Ligh §9-12

 

 

12

28 Nov

Kernel forensics and rootkits

Ligh §13

 

 

13

5 Déc

Student presentations

 

 

 

14

12 Déc

Exam week (no final exam)

No class