Schedule

This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Assignments and due dates are listed separately.

Schedule

Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.

Unit 1

Topics

  • Basics of Forensics
    • A Motivating Example
    • Data Representation
  • Brief Introduction to Python for Forensics

Lectures

Reading

Carrier, Chapter 1 (and optionally start 3)

Other optional readings and resources

Unit 2

  • Carving Data from Files
  • Metadata in Data: EXIF as a case study

Lectures

Reading

Carrier, Chapter 2

Other optional readings and resources

Unit 3

  • Criminal/Legal Forensics
    • Forensics is science applied to law (G. Sapir, Daubert)
    • Contraband and knowing possession (G. Marin)
    • Indicia of intent (T. Howard)

Lectures

Reading

Other optional readings and resources

Midterm Exam 1

The first midterm will be on Thursday, February 23rd, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.

Unit 4

Network Investigations I

Lectures

Reading

Other optional readings and resources

Unit 5

  • Disk Image Acquisition
  • Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
  • FAT Filesystems

Lectures

Reading

  • Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
  • Carrier, Chapter 8, 9, 10

Optional reading

Volumes and partitions:

FAT:

Unit 6

  • NTFS Filesystems

Lectures

Reading

  • Carrier, Chapter 11, 12, 13

Optional reading

Unit 7

  • Network Investigations II:
    • Wiretapping Technology and Policy
      • S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure
      • S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet
    • Email Investigations

Midterm Exam 2

The second midterm will be on Thursday, April 6th, during our regular lecture meeting time. Please arrive promptly and seat yourself such that you are not immediately adjacent to other students.

Unit 8

  • Windows Artifacts
    • H. Carvey, Windows Forensic Analysis, available through UMass Library online
    • J. Barbara, Windows 7 Registry Forensics (seven-part series)
    • additional tools installed on EdLab machines (lnkinfo, msiecfinfo, msicfexport, liblnk, libmsiecf)

Unit 9

  • Storage Technology: Spinning platters, solid state, and carving files.
    • https://belkasoft.com/en/ssd-2014
    • http://www.toolwar.com/2014/04/scalpel-data-carving-tools.html
  • Malware and Related Legal Issues (The Trojan Horse defense)

Unit 10

  • Cell Phones
    • S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics
    • R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE.
    • S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback

Unit 11

  • Being an Expert Witness
    • Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley.
    • Affadavit from Jayson Street (an example of an expert witness’s output)

Final Exam

Our exam is scheduled for:

05/04/2017
Thursday
10:30am–12:30pm
Morrill I N375

Please note (from the Academic Rules and Regulations):

…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.