Print

EE547 Digital Forensics

General Information

This document is an agreement between EE547 students and the instructor. You must read and understand it. We will discuss important points in the first course.

The EE547 course is taught by Dr. Vincent Roberge. You will find my contact information here. Due to the situation with COVID-19, the course will be delivered entirely online using Big Blue Button and Discord. The details on how to join the course channel will be sent by email before the first class.

I will publish this document, the course schedule and all other course information under this web site http://roberge.segfaults.net. The website is protected by a password. You will be able to browse the different pages, but when you click on a link to download a file, it will ask you for a username and password. These credentials will be given to you during the first class.

Objectives

The main objectives of the course are to provide the students with:

By the end of this course, students will be able to investigate a wide range of incidents involving digital system. They will have gained enough knowledge, experience and autonomy to continue exploring this field on their own.

Description

The official description of the course as described in the Graduate Calendar.

Digital forensics is a branch of forensic science which focuses on the recovery and analysis of information found in digital systems. It has a wide range of applications including intelligence gathering, private, corporate and criminal investigations, incident response involving digital systems and many others. In this course, students will develop a thorough understanding of digital forensics theory and techniques and will apply these to investigate incidents involving malicious user activity and malware on common operating systems. Topics will include image acquisition techniques, analysis of volatile and non-volatile memory, file systems structure, OS artifacts, e-mail systems, web browser activity, USB storage device activity, timeline of activity, data stream carving, deleted file carving, process analysis, network connection analysis and anti-forensic techniques.

Lectures: 3 periods per week

Credit: 1

Course Organization

The course is organized as a series of formal lectures supplemented by readings and laboratories. This aim is to develop an understanding of forensics theory and techniques and to gain practical experience. The laboratory work is critical to the learning of the students and the effort required should not be underestimated. Each laboratory will require between 5 and 10 hours to complete. Virtual machines will be extensively used throughout the course. The course also includes student presentation and a final exercise which are described in more details in subsequent sections.

The lectures are organized in six modules that each covers several topics as shown below. Each module is supplemented by a laboratory.

Modules
Topics
Principles of digital forensics
  • Intro to digital forensics
  • Intro to incident response
  • Phases of a forensic investigation
  • Phases of an incident response operation
  • Key principles
Volumes and partitions
  • Components of a hard drive
  • Volumes and partitions
  • Partitioning tables
  • Multi-disk volumes
File systems
  • FAT
  • NTFS
  • Ext3
  • For each:
    • Historic overview of the file system
    • Concept of operation
    • Deep Analysis of on-disk structures
    • Recovery of deleted files and metadata 
Windows Forensics
  • Windows Image Acquisition
  • Registry Analysis
  • Event Log Analysis
  • Evidence of File Download, Program Execution, File/Folder Opening, Deleted File or File Knowledge, Physical Location, External Device/USB, Account Usage, Browser Usage, Building a timeline, Summary of useful software tools
Linux Forensics
  • Filesystem Hierarchy Standard
  • Live system analysis
  • Post-mortem system analysis
  • Parsing log files and Regex
  • Generating timelines
Windows Memory Forensics
  • Memory Management
  • Memory Acquisition
  • The Volatility Framework
  • Windows Executive Objects
  • Pool tag scanning
  • Analyzing processes, handles, tokens
  • Analyzing process internal memory
  • Hunting malware in process memory
  • Recovering event logs, registries
  • Networking artefacts
  • Kernel forensics and rootkits analysis

 

Mandatory Textbooks

The following textbooks are mandatory to complete the course. As the course progress, you will realize that the lectures in class introduce the various concepts and provide just enough information for you to navigate and understand the books. However, when completing the laboratories, you will use these two books extensively.

  1. B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  2. M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.

Cover File System Forensic AnalysisCover The Art of Memory Forensics

Laboratory

The labs in this course are not marked and you are not required to submit lab reports. However, you should take the time to write down the answer to all questions. This will prepare you for the final exercise. Also, at the end of each lab, you are required to submit six flags on the Capture-the-Flag (CTF) server setup for the course. These are marked and count towards your final grade. Each lab will be debriefed at the beginning of the next class. For this reason, the flags on the CTF server will be active only until the beginning of the next class. This will force you to progress at a steady peace throughout the course.

Student paper presentation

For the student presentations, each student presents a research paper in the field of digital forensics. The aim is to introduce the students to a broad selection of research topics in digital forensics. The presentations are 15-minute long and are assessed by the professor and peers.

Final exercise

The final exercise consists of a forensic investigation of a small computer network composed of Windows and Linux computers. The aim of the exercise is to synthetize the theory and techniques learned throughout the course. The investigation is conducted in teams of 2 or 3 students and a complete report is required. The report should explain the investigative process, the artifacts found, the analysis and a summary of events .

Assessment

Marks will be weighed as follows:

To pass the course, students must have completed all the course works (labs, paper presentation and final exercise) and obtained an overall mark of 70% or more.

Attendance

Presence in the virtual classroom is very important as the material presented in the lecture is necessary to complete the labs. Students will also be encouraged to ask questions in class about difficulties they are encountering in the labs. This gives an opportunity for the instructor to help the entire class.

Academic Integrity

Academic integrity violation, including cheating, plagiarism and any form of violation of academic ethics, may result in sanctions ranging from a recorded caution to the expulsion of the program. RMC regulations on academic integrity, section 23, define plagiarism as "Using the work of others and attempting to present it as original thought, prose or work. This includes failure to appropriately acknowledge a source, misrepresentation of cited work, and misuse of quotation marks or attribution; Failure to acknowledge adequately collaboration or outside assistance and; Copying." You should familiarize yourself with the regulations about academic integrity available in the Graduate Studies Calendar.

Copyright

All material provided by your instructor is subject to copyright and is intended only for your use within the context of your course. You are not authorized to distribute such material by any means without written permission. It is a departure from academic integrity to electronically record the entirety or any part of a class or to distribute, publicly post, sell or otherwise disseminate an instructor’s course materials or to provide an instructor’s course materials to anyone else for distribution, posting, sale or other means of dissemination, without the instructor’s express written consent. Any unauthorized recording of classes or distribution of course materials will be treated as a violation of academic ethics and investigated under the applicable Academic Integrity regulation and could be subject to other disciplinary or legal processes.

Last Note

Lastly, but most importantly, make sure to have fun. Digital forensics is a very exciting field. In the digital world, users and malware leave traces everywhere. Knowing how to find and decode these traces is a great asset.