Schedule

This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Assignments and due dates are listed separately.

Schedule

Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.

Unit 1

Topics

  • Basics of Forensics
    • A Motivating Example
    • Data Representation
  • Brief Introduction to Python for Forensics

Lectures

Reading

Carrier, Chapter 1 (and optionally start 3)

Other optional readings and resources

Unit 2

  • Carving Data from Files
  • Metadata in Data: EXIF as a case study

Lectures

Reading

Carrier, Chapter 2

Other optional readings and resources

Unit 3

  • Criminal/Legal Forensics
    • Forensics is science applied to law (G. Sapir, Daubert)
    • Contraband and knowing possession (G. Marin)
    • Indicia of intent (T. Howard)

Lectures

Reading

Other optional readings and resources

Midterm Exam 1

The first midterm will be on Thursday, February 23rd, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.

Unit 4

Network Investigations I

Lectures

Reading

Other optional readings and resources

Unit 5

  • Disk Image Acquisition
  • Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
  • FAT Filesystems

Lectures

Reading

  • Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
  • Carrier, Chapter 8, 9, 10

Optional reading

Volumes and partitions:

FAT:

Unit 6

  • NTFS Filesystems

Lectures

Reading

  • Carrier, Chapter 11, 12, 13

Optional reading

Unit 7

  • Network Investigations II: Wiretapping Technology and Privacy; Email Investigations

Lectures

Reading

  • S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure [doi link] [local copy]
  • S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet [doi link] [local copy]

Optional reading

Midterm Exam 2

The second midterm will be on Thursday, April 6th, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.

Unit 8

  • Malware and Related Legal Issues (The Trojan Horse defense)
  • Windows Artifacts

Lectures

Reading

Optional reading

Unit 9

  • Cell Phone Forensics

Lectures

Reading

  • S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
  • R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
  • S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]

Optional reading

Unit 10

  • Storage Technology: Spinning platters and solid state

Lectures

Reading

Unit 11

  • Practicalities of Being an Expert Witness

Lectures

Optional reading

  • Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley. (available from WorldCat)
  • Affadavit from Jayson Street (an example of an expert witness's output) [pdf]
  • My Cousin Vinny [imdb link]

Final Exam

Our exam is scheduled for:

05/04/2017
Thursday
10:30am--12:30pm
Morrill I N375

Please note (from the Academic Rules and Regulations):

...it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar's Office, 213 Whitmore.