DigForIT Course Description

Digital Forensic Investigation Technique (22-26 Apr 2024)

AM break 1000-1015
PM break 1430-1445

Time Monday Tuesday Wednesday Thursday Friday
0800 – 0915 Course Intro
1 – Intro to Digital Forensic
3 – FAT32 5 – Windows Forensics 7 – Memory Forensics Exercise
0915 – 1145 Lab 1 – XWays Lab 3 – FAT32 Lab 5 – Windows Lab 7 – Memory Exercise
presentations
1145 – 1245 Lunch Lunch Lunch Lunch Lunch
1245 – 1400 2 – Volumes and Partitions 4 – NTFS 6 – Linux Forensics Exercise (instructions) Critique & Exam
1400 – 1630 Lab 2 – Volumes Lab 4 – NTFS Lab 6 – Linux Exercise Departure (1415)

Other lab resources:
Lab setup instructions
Aide-mémoire

General Information

This document is a contract between DigForIT students and the instructor (Dr. Vincent Roberge). You must read it and understand it. We will discuss the important points during the first lesson.

Objectives

Digital forensics is a branch of forensic science which focuses on the recovery and analysis of information found in digital systems. The objective of the Short Course in Digital Forensics Investigation Techniques (DigForIT) is to provide students with a basic foundation in digital forensics theory and techniques. This course is designed for students who currently have a basic understanding of computer security and who wish to learn the fundamentals of digital forensics with practical applications.

Topics of study are image acquisition, volume and partition recovery, file system structure, recovery of deleted files, operating system artifacts, e-mail systems, web browser activities, USB drives activities, timeline reconstruction and volatile memory analysis.

Reference Textbooks

No textbook is required to complete this course. All study material needed by the students is provided as printouts at the beginning of the course. This material is based on several textbooks, online materials and experiments by the instructor. However, the core of the course is based on the three references below:

  • B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
  • Harlan Carvey, “Windows Forensic Analysis Toolkit”,4th Edition, Syngress, 2014, 321 p.
  • M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.

Cover File System Forensic Analysis          Cover The Art of Memory Forensics

Course Material

At the beginning of the course, a binder containing the lecture slides and the lab instructions will be given to each student. Students should bring pens and pencils in order to take notes during the course. During the labs, students will write their answers directly on the printed lab instructions. Students are expected to review the lecture material at night to prepare for the final exam.

Students are not required to bring a personal laptop to class, but can do so if they wish. Internet connectivity for personal laptops may be available, but is not guaranteed.

Course Organization

The course is divided into seven modules. Each module is composed of a lecture and a practical lab. The lectures are done in a semi-formal way where the instructor presents the material and students are encouraged to participate by answering questions, asking questions and sharing their experiences. There is also a summative exercise at the end of the course which allows students to apply the theory and techniques learned during the course in a realistic forensic investigation.

Module 1 – Introduction to Digital Forensics (1/2 day)

  • Defining digital forensics
  • Defining incident response
  • Phases of a forensic investigation
  • Phases of an incident response operation
  • Key principles
  • Introduction to X-Ways Forensic software
  • Disk image acquisition using X-Ways
  • Searching, filtering, extracting and recovering files using X-Ways
  • Creating report tables using X-Ways

Module 2 – Volumes and Partitions (1/2 day)

  • Partitioning scheme (DOS and GPT)
  • Redundant array of independent disks (RAID)
  • Logical volume managers (Linux LVM, Microsoft LDM, Microsoft Storage Space)
  • Analysis and recovery of an MBR volume
  • Analysis and recovery of a GPT volume
  • Analysis and reconstruction of a RAID volume

Module 3 – FAT32 file system (1/2 day)

  • Historic overview
  • Concept of operation
  • Analysis of on-disk structures
  • Manually recovering deleted files
  • Automatically recovering deleted files using tools

Module 4 – NTFS file system (1/2 day)

  • Historic overview
  • Concept of operation
  • Analysis of on-disk structures
  • Alternate Data Streams (ADS)
  • Identifying deleted files and associated metadata
  • Automatically recovering deleted files using tools
  • Introduction to image steganography

Module 5 – Windows Forensics (1/2 day)

  • Acquiring a Windows image
  • Mounting an image
  • Triaging and extracting forensically relevant files
  • Analysing the Registry
  • Analysing Event logs
  • Finding evidence of file download, program execution, file or folder opening, file deletion or file knowledge, external USB storage tracking, account usage and browser usage
  • Manually building a timeline of events

Module 6 – Linux Forensics (1/2 day)

  • Understanding Linux permissions
  • Understanding the file system hierarchy standard
  • Acquiring a disk image using Linux tools
  • Identifying relevant system and user files
  • Examining scheduled jobs and services
  • Analysing log files
  • Understanding the Ext file system
  • Automatically generating a timeline

Module 7 – Windows Memory Forensics (1/2 day)

  • Investigating kernel and process memory space
  • Acquiring memory using the DumpIt utility
  • Learning the Volatility Framework
  • Identifying critical Windows processes
  • Listing processes, network connections and handles
  • Detecting privilege escalation
  • Detecting memory injection
  • Understanding kernel-mode and user-mode rootkits
  • Detecting and analysing user-mode rootkits

Summative Exercise – Investigating a small computer network (1 day)

  • Conducting a digital forensic investigation in a team
  • Investigating Windows and Linux computers
  • Identifying artefacts of interest
  • Analysing artefacts to deduce the actions of the attackers
  • Documenting the evidence and their analysis
  • Writing an investigation report
  • Communicating the result of the investigation

Laboratory

At the end of each module, students complete a lab exercise to practise the theory seen in class. The labs are done in virtual machines that are remotely accessed from computers in the RMC labs. Students are required to write down their answers on the printed lab instructions as they complete the lab. Students are not required to submit lab reports. The labs are debriefed at the beginning of the next lecture where the instructor shows and discusses the solution with the students. During the labs, students are encouraged to collaborate with other students, but should write their own answer on their own lab instructions.

At the end of each lab instruction, there is a supplemental instruction. This section is optional and is not part of the course learning objectives. It is there for students who finish the lab early and who wish to further their knowledge on topics related to the lab. The lab supplemental section is not assessed on the final exam.

Final Exercise

The final exercise consists of a forensic investigation of a small computer network composed of Linux and Windows computers that have been compromised by an attacker. This exercise allows the student to apply the theory and techniques learned during the course in an open-ended problem. The aim of the investigation is to scan the computer systems, find the pieces of evidence, reconstruct what happened and answer the who, what, when, how and why the attack occurred. The investigation is conducted in teams of 3 to 5 students. Each team writes an investigation report which they also present at the end of the investigation.

Final Examination

The course is assessed using a final examination which is based on the material presented in the lectures and applied in the labs. The exam includes multiple-choice and/or short-answer questions and must be completed individually. With the exception of the course Aide-mémoire (which contains tables to decode data structures), students are not allowed to use their course notes, any references or the Internet during the final exam. A penalty is given for incorrect multiple-choice answers. Students are expected to review their course notes at night in preparation for the final exam.

Course Assessment

The course is assessed as follows.

  • 20% Final exercise
  • 80% Final Exam

The passing mark for the final exam is 50%.

Withdrawal Policy

Students who wish to withdraw from the course for personal reasons are allowed to withdraw until the end of day 3. Once day 4 has started, registered students will receive a final mark for the course. Students withdrawing from the course are responsible for informing their unit.

Academic Integrity

Integrity is essential to the academic enterprise and its foundations in the open, independent, and free exchange of ideas. Academic Integrity violations are defined as cheating, plagiarism or other violations of academic ethics. You are encouraged to read RMC academic regulation 23 regarding Academic Integrity.

In this course, you are encouraged to:

  • Collaborate with other students during the labs, but write your own answers.
  • Collaborate with other students on your teams during the final exercise.

In this course, you are not allowed to:

  • Collaborate with other students during the final exam.
  • Use resources that are not specifically allowed during the final exam.

Expectation

  • Arrive on time and prepared for the lectures.
  • Put in the effort to complete the lab work.
  • Be open-minded. Each of you has a different background and a different level of competency in computers and digital forensics. Participate in class and share your experience.

Copyright

All material provided by your instructor is subject to copyright and is intended only for your use within the context of your course. You are not authorized to distribute such material by any means without written permission. It is a departure from academic integrity to electronically record the entirety or any part of a class or to distribute, publicly post, sell or otherwise disseminate an instructor’s course materials or to provide an instructor’s course materials to anyone else for distribution, posting, sales or other means of dissemination, without the instructor’s express written consent. Any unauthorized recording of classes or distribution of course materials will be treated as a violation of academic ethics and investigated under the applicable Academic Integrity regulation and could be subject to other disciplinary or legal processes.

Scroll to Top