EE547 Digital Forensics
Schedule
Wed 13h00-15h30 (lecture in s4214)
Wed 15h30-16h00 (lab in s5104)
References
- B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
- M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886 p.
- Harlan Carvey, “Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8”, 4th Edition, Syngress, 210, 350 p.
Resource
Wk |
Date |
Lectures |
References |
Others |
Laboratories |
|
1 | 13 Sep 22 | Intro to digital forensics (recording) | Carrier §1-3 | Lab setup Lab 1 – Intro to X-Ways (due 20 Sep at 13h00) |
||
2 | 20 Sep 22 | Volumes and partitions (recording) | Carrier §4-7 | Lab 2 – Volumes and Partitions (due 27 Sep at 13h00) |
||
3 | 27 Sep 22 | FAT32 file system (recording) | Carrier §8-10 | Lab 3 – FAT32 (due 4 Oct at 13h00) |
||
4 | 4 Oct 22 | NTFS file system (recording) | Carrier §11-13 | Lab 4 – NTFS (due 18 Oct at 13h00) |
||
5 | 11 Oct 22 | Windows (recording) | Carvey | Lab 4 con’t | ||
6 | 18 Oct 22 | Windows (con’t) Linux (recording) |
Carvey | Lab 5 – Windows 10 (due 25 Oct at 13h00) |
||
7 | 25 Oct 22 | Linux (con’t) | Lab 6 – Linux (due 1 Nov at 13h00) |
|||
8 | 1 Nov 22 | Windows Objects (recording) Process, handles and tokens (recording) |
Ligh §1, 3-5Ligh §6 | Must have selected a research paper |
Lab 7 – Memory Acquisition (due on 8 Nov at 13h00) |
|
9 | 8 Nov 22 | Process memory internals (recording) | Ligh §7-8 | Lab 8 – Malicious Processes (due on 15 Nov at 13h00) |
||
10 | 15 Nov 22 | Kernel forensics and rootkits (recording) | Ligh §13 | Lab 9 – Rootkits (due on 22 Nov at 13h00) |
||
11 | 22 Nov 22 | Final exercise (recording) |
Final exercise (Instructions, template) (due on 6 Dec at 13h00) |
|||
12 | 29 Nov 22 | No class (work on exercise and presentation) | Final exercise | |||
13 | 6 Dec 22 | Student presentations (schedule, eval sheet) | May be pushed to the following week. | |||
14 |