EE547 Digital Forensics


In this course, students will develop a thorough understanding of digital forensics theory and techniques and will apply these to investigate incidents on various computer systems. Topics will include image acquisition techniques; analysis of various file systems including FAT, NTFS and Ext; analysis of live memory dump, triage and analysis of key artifacts from different operating systems including Windows, Linux and Mac; carving of deleted files and data, analysis of USB device activities, e‑mail analysis, web browser analysis including Internet Explorer, Mozilla Firefox and Google Chrome; timeline analysis and network traffic analysis. Students completing this course will be able to respond to and investigate computer system incidents triggered by malicious users or malware. The course will include formal lectures, directed reading assignments, practical laboratory works, review and critique of digital forensics literature and a major course project.

Course Goals

By taking this course, the students will:

  • Develop a thorough understanding of the basics and advanced techniques of digital forensics;
  • Design and present one or more lectures on fundamental topics in digital forensics;
  • Design and implement one or more teaching laboratory that complements the lecture(s) developed by the student; and
  • Prepare and present a review of a state-of-the-art digital forensic technique.

Mandatory Textbooks

  1. B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  2. M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.


Marks will be weighed as follows:

  • Labs – 50%
  • Lecture(s) developed by the student on a digital forensic topic – 20%
  • Laboratory(ies) developed by the student to complement the lecture(s) – 20%
  • Paper review – 10%


The course will be organized in three components. Component 1 will consist of a series of formal lectures supplemented by reading assignments and laboratory works. Component 2 will consist of directed readings assigned individually to each student. Based on those readings, the students will each develop a minimum of one lecture and one laboratory. Each student will then present their lecture and their laboratory to the rest of the class. Component 3 will consist of a review of a state-of-the-art technique in digital forensics. Based on the time remaining, this review will be submitted in the form of a written document, an oral presentation or both.

The course will follow the schedule shown below. Component 1 will take place during weeks 1 to 7 while components 2 and 3 will cover weeks 8 to 13. During weeks 8 to 10, there will be no classes, but the students are expected to meet with the instructor on an individual basis to discuss the progress of their lecture, laboratory and research. Presentations will occur during the last three weeks of the term.








10-14 Sep

Intro to digital forensics

Carrier §1-3


Lab on intro to X-Ways

due at 13h00 on 20 Sep 2017

(Resources and Disk image)


17-21 Sep

Volumes and partitions

Carrier §4-7


Lab on Volumes and Partitions

due at 13h00 on 4 Oct 2017

(Disk images)


24-28 Sep



Directed Studies Instructions



1-5 Oct

FAT32 file system

Carrier §8-10


Lab on FAT32

(Disk image)


8-12 Oct



Topic selection for student lectures and labs

Research paper selection



15-19 Oct

NTFS file system

Carrier §11-13


Lab on NTFS

(Disk image)


22-26 Oct

Windows (con't)


Outline for student lectures and lab



29 Oct - 2 Nov




Updated on 14 Nov

Lab on Windows 10

(VM and poster)


5-9 Nov

Ext3 file system

Carrier §14-15


Lab on Ext3

(Disk image)


12-16 Nov

Individual work





19-23 Nov

individual work





26-29 Nov

Student lecture+lab presentations



 Due on 1 Dec 2017

- All labs

- Paper critique (1/2 page single spaced)

- Lecture (.pptx)

- Lab instructions + solutions (.docx)


3-7 Déc

Exam week (no final exam)

No class





10-14 Déc

Exam week (no final exam)

No class