EE547 Digital Forensics

General Information

This document is an agreement between EE547 students and the instructor. You must read and understand it. We will discuss important points in the first course.

The EE547 course is taught by Dr. Vincent Roberge. You will find my contact information here. I am at the office and available to answer questions most days of the week, stop by at any time. However, if you want to make sure you don't miss me, you can schedule an appointment. Simply send me an email or talk to me in class.

I will publish this document, the course schedule and all other course information under this web site http://roberge.segfaults.net. The website is protected by a password. You will be able to browse the different pages, but when you click on a link to download a file, it will ask you for a username and password. These credentials will be given to you during the first class.

Objectives

The main objectives of the course are to provide the students with:

  • A solid foundation of digital forensics theory and techniques;
  • An exposure to more advanced or recent topics in the field;
  • Significant practical experience to reinforce the concepts learnt in class and to develop autonomy; and
  • Some research experience in the field.

By the end of this course, students will be able to investigate a wide range of incidents involving digital system. They will have gained enough knowledge, experience and autonomy to continue exploring this field on their own.

Description

The official description of the course as described in the Graduate Calendar.

Digital forensics is a branch of forensic science which focuses on the recovery and analysis of information found in digital systems. It has a wide range of applications including intelligence gathering, private, corporate and criminal investigations, incident response involving digital systems and many others. In this course, students will develop a thorough understanding of digital forensics theory and techniques and will apply these to investigate incidents involving malicious user activity and malware on common operating systems. Topics will include image acquisition techniques, analysis of volatile and non-volatile memory, file systems structure, OS artifacts, e-mail systems, web browser activity, USB storage device activity, timeline of activity, data stream carving, deleted file carving, process analysis, network connection analysis and anti-forensic techniques.

Lectures: 3 periods per week

Credit: 1

Course Organization

The course is organized as a series of formal lectures supplemented by readings and laboratories. This aim is to develop an understanding of forensics theory and techniques and to gain practical experience. The laboratory work is critical to the learning of the students and the effort required should not be underestimated. Each laboratory will require between 5 and 10 hours to complete. Most laboratory can be completed in the ECE lab or at home on a personal computer. Virtual machines will be extensively used throughout the course. The course also includes a course project which described in more details in a subsequent section.

The lectures are organized in six modules that each covers several topics as shown below. Each module is supplemented by a laboratory.

Modules
Topics
Principles of digital forensics
  • Intro to digital forensics
  • Intro to incident response
  • Phases of a forensic investigation
  • Phases of an incident response operation
  • Key principles
Volumes and partitions
  • Components of a hard drive
  • Volumes and partitions
  • Partitioning tables
  • Multi-disk volumes
File systems
  • FAT
  • NTFS
  • Ext3
  • For each:
    • Historic overview of the file system
    • Concept of operation
    • Deep Analysis of on-disk structures
    • Recovery of deleted files and metadata 
Windows Forensics
  • Windows Image Acquisition
  • Registry Analysis
  • Event Log Analysis
  • Evidence of File Download, Program Execution, File/Folder Opening, Deleted File or File Knowledge, Physical Location, External Device/USB, Account Usage, Browser Usage, Building a timeline, Summary of useful software tools
Linux Forensics
  • Filesystem Hierarchy Standard
  • Live system analysis
  • Post-mortem system analysis
  • Parsing log files and Regex
  • Generating timelines
Windows Memory Forensics
  • Memory Management
  • Memory Acquisition
  • The Volatility Framework
  • Windows Executive Objects
  • Pool tag scanning
  • Analyzing processes, handles, tokens
  • Analyzing process internal memory
  • Hunting malware in process memory
  • Recovering event logs, registries
  • Networking artefacts
  • Kernel forensics and rootkits analysis

Mandatory Textbooks

The following textbooks are mandatory to complete the course. As the course progress, you will realize that the lectures in class introduce the various concepts and provide just enough information for you to navigate and understand the books. However, when completing the laboratories, you will use these two books extensively.

  1. B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  2. M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.

Cover File System Forensic AnalysisCover The Art of Memory Forensics

Laboratory

Laboratories are the cornerstone of the course. Details for each laboratory will be published on the course schedule page. Laboratories are to be completed individually and reports are to be submitted on or prior to the due date specified on the course schedule. Lab reports submitted late will be subject to a 10% penalty per day unless an arrangement has been made with the instructor prior to the due date. This rule is not to annoy the students, but to ensure the class progresses at a steady pace since lectures and labs are intrinsically related.

You must complete and submit all your laboratories in order to pass the course.

Course project

The project is an opportunity for the students to gain experience in an area of interest in the field of digital forensics. Projects are to be completed individually or in teams of two and include a project report and a presentation. The project topic have to be selected by week 8 of the semester. Your project topics needs to be approved by the instructor. Examples of project topics are:

  • Develop a software tool to facilitate the analysis of digital artefacts;
  • Explore an area of digital forensics not covered in class and develop a practical exercise with a solution set;
  • Explore an area of digital forensics covered in class, but in more depth and develop a more advance exercise with a solution set;
  • Develop a series of forensics challenges. These could be used in a future iteration of this course as bonus questions on each lab;
  • Conduct a forensic investigation on a small computer network; and
  • Others.

Assessment

Marks will be weighed as follows:

  • Labs – 70%
  • Project report – 20%
  • Project presentation – 5%
  • In-class participation – 5%

To pass the course, a student must have completed all the course works (labs, project report and project presentation) and obtained an overall mark of 70% or more.

Attendance

Presence in the classroom is very important as the material presented in the lecture is necessary to complete the labs. Students will also be encouraged to ask questions in class about difficulties they are encountering in the labs. This gives an opportunity for the instructor to help the entire class. Although the instructor maintains an open door policy, he will not entertain questions from students who do not come to class.

Academic Integrity

Academic integrity violation, including cheating, plagiarism and any form of violation of academic ethics, may result in sanctions ranging from a recorded caution to the expulsion of the program. RMC regulations on academic integrity, section 23, define plagiarism as "Using the work of others and attempting to present it as original thought, prose or work. This includes failure to appropriately acknowledge a source, misrepresentation of cited work, and misuse of quotation marks or attribution; Failure to acknowledge adequately collaboration or outside assistance and; Copying." You should familiarize yourself with the regulations about academic integrity available in the Graduate Studies Calendar.

Last Note

Lastly, but most importantly, make sure to have fun. Digital forensics is a very exciting field. In the digital world, users and malware leave traces everywhere. Knowing how to find and decode these traces is a great asset.