EE547 Digital Forensics

Schedule

Wed 13h00-15h00 (lecture)
Wed 15h00-16h00 (labo)

References

  • B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  • M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.
  • Harlan Carvey, "Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8", 4th Edition, Syngress, 210, 350 p.

Resource

Wk

 

Date

Lectures

References

Others

Laboratories

1

 

12 Jan

Intro to digital forensics (recording)

Carrier §1-3

 

Lab setup

Lab 1 - Intro to X-Ways

(due 19 Jan at 13h00)

2

 

19 Jan

Volumes and partitions (recording)

Carrier §4-7

 

Lab 2 - Volumes and Partitions

(due 26 Jan at 13h00)

3

 

26 Jan

FAT32 file system (recording)

Carrier §8-10

 

Lab 3 - FAT32

(due 2 Feb at 13h00)

4

 

2 Feb

NTFS file system (recording)

Carrier §11-13

 

Lab 4 - NTFS

(due 16 Feb at 13h00)

5

 

9 Feb

Windows (recording)

Carvey

 

 

6

 

16 Feb

Windows (con't)

Linux (recording)

Carvey

 

Lab 5 - Windows 10

(due 23 Feb at 13h00)

7

 

23 Feb

Linux (con't)

 

 

Lab 6 - Linux

(due 2 Mar at 13h00)

8

 

2 Mar

Windows Objects (recording)

Process, handles and tokens (recording)

Ligh §1, 3-5

Ligh §6

Paper selection

Lab 7 - Memory Acquisition

(due on 9 Mar at 13h00)

9

 

9 Mar

Process memory internals (recording)

Ligh §7-8

 

Lab 8 - Malicious Processes

(due on 16 Mar at 13h00)

10

 

16 Mar

Kernel forensics and rootkits (recording)

Ligh §13

 

Lab 9 - Rootkits

(due on 23 Mar at 13h00)

11

 

23 Mar

Final exercise
(recording)

 

 

Final exercise (Instructions, template)

(due on 20 Apr at 13h00)

12

 

30 Mar

No class (work on exercise and presentation)

 

 

 

 

13

 

6 Apr

Student presentations (schedule, eval sheet)

 

 

 

 14