Digital Forensic Investigation Technique (25-29 Apr 2022)

 AM break 1000-1015
 PM break 1430-1445

Time Monday Tuesday Wednesday Thursday Friday
0800 – 0915 Course Intro
1 – Intro to Digital
Forensics
3 – FAT32 5 – Windows Forensics 7 – Memory Forensics Exercise
0915 – 1145 Lab 1 – XWays Lab 3 – FAT32 Lab 5 – Windows Lab 7 – Memory Exercise
1145 – 1245 Lunch Lunch Lunch Lunch Lunch
1245 – 1400 2 – Volumes and Partitions 4 – NTFS 6 – Linux Forensics Exercise (instructions) Exercise presentations
1400 – 1630 Lab 2 – Volumes Lab 4 – NTFS Lab 6 – Linux Exercise Final Exam (1400-1500)

Other lab resources:
Lab setup instructions
Aide-mémoire

General Information

This document is a contract between DigForIT students and the instructor (Dr. Vincent Roberge). You must read it and understand it. We will discuss the important points during the first lesson.

Health and Safety - COVID

Due to the current situation with COVID some health and safety measures must be put in place during the course. These measures are based on the directions provided by 33 Health Services, KFL&A Public Health and the Government of Ontario. Thank you in advance for following these measures.

During the course:

  • Masks must be worn at all times inside the building including when sat in class and at the lab computers.
  • 2m separation is encouraged, but not mandatory
  • Seating plans for lectures and lab workstations must be followed
  • Each student most to a daily self-assessment before coming inside the building (https://covid-19.ontario.ca/exposed)
  • In case of failed COVID self-check, prior to leaving accommodations, you must:
    • For CAF members – Contact 33 Health Svcs CDU COVID hotline for directions (613-329-7075)
    • For civilians – Isolate for 5 days and wear a mask for 10 days (https://covid-19.ontario.ca/exposed)
    • Advice course instructor (This email address is being protected from spambots. You need JavaScript enabled to view it.)

Objectives

Digital forensics is a branch of forensic science which focuses on the recovery and analysis of information found in digital systems. The objective of the Short Course in Digital Forensics Investigation Techniques (DigForIT) is to provide students with a basic foundation in digital forensics theory and techniques. This course is designed for students who currently have a basic understanding of computer security and who wish to learn the fundamentals of digital forensics with practical applications.

Topics of study are image acquisition, volume and partition recovery, file system structure, recovery of deleted files, operating system artifacts, e-mail systems, web browser activities, USB drives activities, timeline reconstruction and volatile memory analysis.

Reference Textbooks

No textbook is required to complete this course. All study material needed by the students is provided as printouts at the beginning of the course. This material is based on several textbooks, online materials and experiments by the instructor. However, the core of the course is based on the three references below:

  • B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  • Harlan Carvey, “Windows Forensic Analysis Toolkit”,4th Edition, Syngress, 2014, 350 p.
  • M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.

Course Material

At the beginning of the course, a binder containing the lecture slides and the lab instructions will be given to each student. Students should bring pens and pencils in order to take notes during the course. During the labs, students will write their answers directly on thew printed lab instructions. Students are expected to review the lecture material at night to prepare for the final exam.

Students are not required to bring a personal laptop to class, but can do so if they wish. Internet connectivity for personal laptop may be available, but is not guaranteed.

Course Organization

The course is divided into seven modules. Each module is composed of a lecture and a practical lab. The lectures are done in a semi-formal way where the instructor presents the material ans students are encouraged to participate by answering questions, asking questions and sharing their experiences. There is also a summative exercise at the end of the course which allows the student to apply the theory and techniques learned during the course in a realistic forensic investigation.

Module 1 – Introduction to Digital Forensics (1/2 day)

  • Defining digital forensics
  • Defining incident response
  • Phases of a forensic investigation
  • Phases of an incident response operation
  • Key principles
  • Introduction to X-Ways Forensic software
  • Disk image acquisition using X-Ways
  • Searching, filtering, extracting and recovering files using X-Ways
  • Creating report tables using X-Ways

Module 2 – Volumes and Partitions (1/2 day)

  • Partitioning scheme (DOS and GPT)
  • Redundant array of independent disks (RAID)
  • Logical volume managers (Linux LVM, Microsoft LDM, Microsoft Storage Space)
  • Analysis and recovery of an MBR volume
  • Analysis and recovery of a GPT volume
  • Analysis and reconstruction of a RAID volume

Module 3 – FAT32 file system (1/2 day)

  • Historic overview
  • Concept of operation
  • Analysis of on-disk structures
  • Manually recovering deleted files
  • Automatically recovering deleted files using tools

Module 4 – NTFS file system (1/2 day)

  • Historic overview
  • Concept of operation
  • Analysis of on-disk structures
  • Alternate Data Streams (ADS)
  • Identifying deleted files and associated metadata
  • Automatically recovering deleted files using tools
  • Introduction to image steganography

Module 5 – Windows Forensics (1/2 day)

  • Windows image acquisition
  • Mounting images
  • Triage and extraction of forensically relevant files
  • Registry analysis
  • Event log analysis
  • Finding evidence of file download, program execution, file/folder opening, deleted file or file knowledge, external USB storage tracking, account usage and browser usage
    Manually building a timeline of events

Module 6 – Linux Forensics (1/2 day)

  • Linux permission
  • File system hierarchy standard
  • Disk image acquisition using Linux tools
  • Mounting disk images in Linux
  • Relevant system and user files
  • Scheduled jobs and services
  • Log files
  • Ext file system
  • Auto generation of timeline

Module 7 – Windows Memory Forensics (1/2 day)

  • Kernel and process memory space
  • Memory acquisition using the DumpIt utility
  • The Volatility Framework
  • Critical Windows processes
  • Listing processes, network connections and handles
    Detecting privilege escalation
  • Detecting memory injection
  • Understanding kernel-mode and user-mode rootkits
  • Detecting and analyzing user-mode rootkits

Summative Exercise – Investigating a small computer network (1 day)

  • Conduct a digital forensic investigation in a team
  • Includes Windows and Linux computers
  • Identifying artefacts of interest
  • Analyzing artefacts to deduce the actions of the attackers
  • Documenting the evidence and their analysis
  • Writing an investigation report
  • Communicating the result of the investigation

Laboratory

At the end of each module, the students complete a lab exercise to practise the theory seen in class. The labs are done in virtual machines that are remotely accessed from computers in the RMC labs. Students are required to write down their answers on the printed lab instructions as they complete the lab. Students are not required to submit lab reports. The labs are debriefed at the beginning of the next lecture where the instructor shows and discuss the solution with the students. During the labs, students are encouraged to collaborate with other students, but should write their own answer on their own lab instructions.

At the end of each lab instruction, there is a supplemental instruction. This section is optional and is not part of the course learning objectives. It is there for students who finish the lab early and who wish to further their knowledge on topics related to the lab.The lab supplemental section is not assessed on the final exam.

Final Exercise

The final exercise consists of a forensic investigation of a small computer network composed of Linux and Windows computers that have been compromised by an attacker. This exercise allows the student to apply the theory and techniques leaned during the course in an open-ended problem. The aim of the investigation is to scan the computer systems, find the pieces of evidence, reconstruct what happened and answer the who, what when, how and why the attack occurred. The investigation is conducted in teams of 3 to 5 students. Each team writes an investigation report which they also present at the end of the investigation.

Final Examination

The course is assessed using a final examination which is based on the material presented in the lectures and applied in the labs. The exam includes multiple-choice and/or short-answer questions and must be completed individually. With the exception of the course Aide-mémoire (which contains tables to decode data structures), students are not allowed to use their course notes, any references nor the Internet during the final exam. The pass mark for the exam is 50%. A penalty is given for incorrect multiple-choice answers. Students are expected to review their course notes at night in preparation for the final exam.

Course Assessment

The course is assessed as follows.

  • 100% Final Exam

The passing mark for the final exam is 50%.

Withdrawal Policy

Students who wish to withdraw from the course for personal reasons are allowed to withdraw until the end of day 3. Once day 4 has started, registered students will receive a final mark for the course. Students withdrawing from the course are responsible for informing their unit.

Academic Integrity

Integrity is essential to the academic enterprise and its foundations in the open, independent, and free exchange of ideas. Academic Integrity violations are defined as Cheating, Plagiarism or other violations of academic ethics. You are encouraged to read RMC academic regulation 23 regarding Academic Integrity.

In this course, you are encouraged to:

  • Collaborate with other students during the labs, but write your own answers.
  • Collaborate with other students in your teammates during the final exercise.

In this course, you are not allowed to:

  • Collaborate with other students during the final exam.
  • Use resources that are not specifically allowed during the final exam.

Expectation

  • Arrive on time and prepared for the lectures.
  • Put in the effort to complete the lab work.
  • Be open-minded. All of you have a different background and a different level of competency in computers and digital forensics. Participate in class and share your experience.

Copyright

All material provided by your instructor is subject to copyright and is intended only for your use within the context of your course. You are not authorized to distribute such material by any means without written permission. It is a departure from academic integrity to electronically record the entirety or any part of a class or to distribute, publicly post, sell or otherwise disseminate an instructor’s course materials or to provide an instructor’s course materials to anyone else for distribution, posting, sale or other means of dissemination, without the instructor’s express written consent. Any unauthorized recording of classes or distribution of course materials will be treated as a violation of academic ethics and investigated under the applicable Academic Integrity regulation and could be subject to other disciplinary or legal processes.