Description

In this course, students will develop a thorough understanding of digital forensics theory and techniques and will apply these to investigate incidents on various computer systems. Topics will include image acquisition techniques; analysis of various file systems including FAT, NTFS and Ext; analysis of live memory dump, triage and analysis of key artifacts from different operating systems including Windows, Linux and Mac; carving of deleted files and data, analysis of USB device activities, e‑mail analysis, web browser analysis including Internet Explorer, Mozilla Firefox and Google Chrome; timeline analysis and network traffic analysis. Students completing this course will be able to respond to and investigate computer system incidents triggered by malicious users or malware. The course will include formal lectures, directed reading assignments, practical laboratory works, review and critique of digital forensics literature and a major course project.

Course Goals

By taking this course, the students will:

  • Develop a thorough understanding of the basics and advanced techniques of digital forensics;
  • Design and present one or more lectures on fundamental topics in digital forensics;
  • Design and implement one or more teaching laboratory that complements the lecture(s) developed by the student; and
  • Prepare and present a review of a state-of-the-art digital forensic technique.

Mandatory Textbooks

  1. B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  2. M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.
  3. H. Carvey, “Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8”, 4th Edition, Syngress, 2014, 350 p.

Assessment

Marks will be weighed as follows:

  • Labs – 50%
  • Lecture(s) developed by the student on a digital forensic topic – 20%
  • Laboratory(ies) developed by the student to complement the lecture(s) – 20%
  • Paper review – 10%

Schedule

The course will be organized in three components. Component 1 will consist of a series of formal lectures supplemented by reading assignments and laboratory works. Component 2 will consist of directed readings assigned individually to each student. Based on those readings, the students will each develop a minimum of one lecture and one laboratory. Each student will then present their lecture and their laboratory to the rest of the class. Component 3 will consist of a review of a state-of-the-art technique in digital forensics. Based on the time remaining, this review will be submitted in the form of a written document, an oral presentation or both.

The course will follow the schedule shown below. Component 1 will take place during weeks 1 to 7 while components 2 and 3 will cover weeks 8 to 13. During weeks 8 to 10, there will be no classes, but the students are expected to meet with the instructor on an individual basis to discuss the progress of their lecture, laboratory and research. Presentations will occur during the last three weeks of the term.

Wk

Date

Lectures

References

Others

Laboratories

1

11-15 Sep

Intro to digital forensics

Carrier §1-3

 

Lab on intro to X-Ways

due at 13h00 on 20 Sep 2017

(Resources and Disk image)

2

18-22 Sep

Volumes and partitions

Carrier §4-7

 

Lab on Volumes and Partitions

due at 13h00 on 4 Oct 2017

(Disk images)

3

25-29 Sep

 

 

Directed Studies Instructions

 

4

2-6 Oct

FAT32 file system

Carrier §8-10

 

Lab on FAT32

(Disk image)

5

9-13 Oct

Windows

Carvey

Topic selection for student lectures and labs

Research paper selection

 

6

16-20 Oct

NTFS file system

Carrier §11-13

 

Lab on NTFS

(Disk image)

7

23-27 Oct

Windows (con't)

Carvey

Outline for student lectures and lab

 

8

30 Oct - 3 Nov

 

 

 

Updated on 14 Nov

Lab on Windows 10

(VM and poster)

9

6-10 Nov

Robotics lab

Ext3 file system

Carrier §14-15

 

Lab on Ext3

(Disk image)

10

13-17 Nov

No class

Individual work

 

 

 

11

Fri 24 Nov

9h00

Robotics lab

individual work

 

 

 

12

Fri 1 Dec

9h00

Robotics lab

Student lecture+lab presentations

Papers:

Louis

Jonathan 1 and 2

Stéphane

 

 Due on 1 Dec 2017

- All labs

- Paper critique (1/2 page single spaced)

- Lecture (.pptx)

- Lab instructions + solutions (.docx)

13

Fri 8 Déc

9h00

Robotics lab

Exam week (no final exam)

No class

 

 

 

14

11-15 Déc

Exam week (no final exam)

No class