Schedule

This page is a schedule of topics and readings. Lecture notes up before class are drafts, and may be updated sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Each unit in the schedule is composed of 1-4 lectures (one each class), which is approximately one or two weeks. I will update this schedule and the notes as the semester progresses.

Assignments

• A separate page lists assignments and due dates.
• Assignments write ups are posted to our Moodle site.
• Fall 2023 Add/Drop deadline: Monday Sept 11.
• Fall 2023 Last day to Drop with ‘W’ and select ‘P/F’ : Oct 31
• Fall 2023 Special dates: Tuesday Oct 10 (monday schedule; oct 9 no class); Nov 22-26 (no class)
• Last day of this class: Wednesday Dec 6
• **Final Exam: 12/11/2023, Monday 3:30PM - 5:30PM.

Topics, Lectures, and Assigned Reading

Unit 1: Intro

Topics

• Basics of Forensics
• A Motivating Example
• Brief Introduction to Python for Forensics
• 4th Amendment and related items

Lectures

• Sept 06: 01: Introduction and 01b: A motivating example
• Sept 11: 2a: Introduction to the 4th Amendment
• Sept 13: More from the previous day.

Reading

• Carrier, Chapter 1. Reminder: Carrier is available free online by logging into the UMass Library and using O’Reilly Safari.
• Handout 1: A Motivating Example

Optional Materials

• On Python:
  • https://docs.python.org/3.11/ (in particular, the tutorial and first few chapters of the library reference)
  • https://learnxinyminutes.com/docs/python3/
• A good resource for basic stuff about computers they don’t teach in college is Upgrading & Repairing PCs by Mueller. The version the library has for free is from 2013, but still a really good book. You can purchase the real book from 2015 version; it’s too bad it’s no longer updated regularly.

Unit 2: Data Representation and Carving

Topics

• Data Representation
• Carving Data from Files

Lectures

• Sept 18: 03: What makes forensics a science? (and some python notes)
• Sept 20: 04: carving strings and 05: int to binary and back again

Reading

• Carrier, Chapter 2 and 3

Optional Materials

• Handout 2: Data Representation

• On ASCII and Unicode:

  • https://en.wikipedia.org/wiki/ASCII and https://garbagecollected.org/2017/01/31/four-column-ascii/
  • Wikipedia Unicode, UTF-8, and UTF-16

Unit 3: Volumes, Partitions, and FAT

Topics

• Disk Image Acquisition
• File system Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
• FAT file systems

Lectures

• Sep 25: 06: Acquisition, Volumes, MBRs
• Sep 27: 07: GPTs, Intro to the FAT file system
• Oct 02: 08: FATs and Directory Entries
• Oct 04: More on parsing FAT filesystems

Reading

• For Sept 25 and 27 and Assignment 3
  • Carrier, Chapter 4
  • Carrier, part of Chapter 5 (ONLY the section on “DOS Partitions”)
  • Carrier, part of Chapter 6 (ONLY the section on “GPT Partitions”)
• For Sept 27 and Oct 2 and Assignment 4
  • Carrier, all of Chapters 8, 9, 10

Optional Materials

Volumes and partitions:

• https://en.wikipedia.org/wiki/Master_boot_record
• https://en.wikipedia.org/wiki/Partition_type
• https://en.wikipedia.org/wiki/Cylinder-head-sector
• https://en.wikipedia.org/wiki/GUID_Partition_Table
• Sedory on MBRs (2013)
• Sedory on BIOSes (2012)

FAT:

• Design of the FAT file system
• FAT: General Overview of On-Disk Format
• FAT16 vs. FAT32
• FAT explanation by Igor Kholodov
• Deleting files: Wright et al (2008), Garfinkel (2007), NIST 800-88 (2006), Gutmann (1996)

Unit 4: Forensic Science

Topics

• Criminal Forensics
  • Forensics is science applied to law (G. Sapir, Daubert)
  • Contraband and knowing possession (G. Marin)
  • Indicia of intent (T. Howard)

Lectures

• Oct 09: No UMass classes (but we do have class TUESDAY OCT 10)
• Oct 10 TUESDAY: 10: Daubert, Witnesses; What is Possession?

Reading

• G. Sapir, Qualifying the Expert Witness Forensic Magazine, February 2007.
• G. Marin, Possession of Child Pornography: Should You be Convicted When the Computer Cache Does the Saving for You? Florida Law Review, Volume 60, Issue 5, December 2008 (Note: don’t be an idiot! This article and others we’ll read discuss methods of downloading from the Internet related to child sexual abuse materials. Enrollment in this class is never authorization to break any laws. Do not even search for keywords related to CSAM, and certainly don’t download any materials. You will end up in court and/or jail for a long time and ruin your entire life.)
• T. Howard, Don’t Cache Out Your Case: Prosecuted Child Pornography Possession Laws Based on Images Located in Temporary Internet Files Berkeley Technology Law Journal (Fall 2004), pp. 1229-1230
• Excerpts from “A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness”. F.C. Smith & R.G. Bace (2002). Boston, MA: Addison-Wesley. (available from UMass Library from the O’Reilly database or pdf)

Optional Materials

• The Daubert Trilogy:
  • Daubert v. Merrell Dow Pharmaceuticals
  • General Electric Co. v. Joiner
  • Kumho Tire Co. v. Carmichael

Unit 5: Cryptographic and Perceptual Hashes

Topics

• Cryptographic hashes
• Perceptual hashes
• Small block forensics

Lectures

• Oct 11: 11: Hashes Covered by Final Exam. (Not on Midterm.)

Reading

• A. Ramos, Introduction To Perceptual Hashes: Measuring Similarity [link]

• S. Garfinkel, The Tricky Cryptographic Hash Function [link]. ;login:, Winter 2020

• S. Garfinkel et al. Distinct Sector Hashes for Target File Detection, IEEE Computer, December 2012 [link]

Lectures

• Oct 16: Midterm Review session
• Oct 18: MIDTERM EXAM 7pm–9pm (Building: Engineering Laboratory 2 (ELAB2), Room: 119)

Reading

Unit 7: NTFS

Topics

• NTFS File systems

Lectures

• Oct 23: 13: Introduction to NTFS And midterm answers.
• Oct 25: 14: More on NTFS.
• Oct 30: NTFS finish up; and Carpenter and ECPA

Reading

• Carrier, Chapter 11, 12, 13
• Summary: The Supreme Court Rules in Carpenter v. United States. by Sabrina McCubbin, Lawfare, June 22, 2018

Optional Materials

• NTFS
• Linux-NTFS project

Unit 8: Network Investigations I

Topics

• IP addresses and other network values
• Peer-to-peer network investigations

Lectures

• Nov 01: 15: IP addresses, Peer-to-Peer, Trojan Horse Defense
• Nov 06: Continuation of networking
• Nov 08: More on TCP/IP

Reading

• M. Liberatore, R. Erdely, T. Kerle, B. Levine, C. Shields, Forensic Investigation of Peer-to-Peer File Sharing Networks (pdf)
  • You are welcome to read the entire paper, but you need only read about BitTorrent. So that’s Section 2.1.2, all of Section 3, the 4 paragraph intro of Section 4, and all of Section 4.2.
  • Note that the paper has some discussion child exploitation, mostly statistics but some are graphic.

• I have posted an networking introduction available on moodle only.

• S. Brenner on the Trojan Horse Defense

Optional Materials

• R. Walls, B. Levine, M. Liberatore, and C. Shields, Effective Digital Forensics Research is Investigator-Centric (pdf)
• Helpful networking introduction: Chapter 21 from Eoghan Casey’s forensics textbook free from the UMass library.

Unit 11: Network Investigations II

Topics

• Tor and other darknets
• NITs
• Investigations without NITs
• Expert witnessing

Lectures

• Nov 13: 18: Network Investigative Techniques
• Nov 15: 19: Network Investigations without NITS

Reading

• Tor: Overview
• Tor: Hidden Service Protocol
• Article posted our moodle site.
• Warning: frank discussion of child abuse. I’m going to make a redacted version on moodle: A Forensically Sound Method of Identifying Downloaders and Uploaders in Freenet Proceedings of ACM CCS 2020.

Optional Materials

• Trigger warning: These articles discuss child abuse in a frank manner.
• Susan Hennessy The Elephant in the Room: Addressing Child Exploitation and Going Dark Aegis Paper series no. 1701
• Orin Kerr, Government ‘hacking’ and the Playpen search warrant (alt link)
• Orin Kerr, Remotely accessing an IP address inside a target computer is a search

• Affidavit from Jayson Street (an example of an expert witness’s output) [pdf]

Unit 10: Windows Artifacts

Topics

• Windows forensics

Lectures

• Nov 20: Finish up networking investigations
• Nov 22: NO CLASS (Thanksgiving Break)
• Nov 27: 16: Intro to Windows Forensics

Reading

• EZ Tools
  • Some help with RECmd
• lnk files explanation
• Registry Forensics:
  • Registry analysis 101
  • 13cubed cheat sheet
• Recycle bins blog post
• Windows Forensics Cookbook by Oleg Skulkin, Scar de Courcier

Optional:

• USB database
• Installing autopsy on macos
• Forensics focus
• Recycle Bin explanation (for older versions of windows)
• Access data cheat sheet (very old!)
• Some random person’s batch recipes for EZ Tools

• SANS poster (outdated but interesting)
• For those wondering about Mac forensics, here’s a good intro from Simson Garfinkel (2019).

Unit 11: Other

• Nov 29: 17: Synthetic Image and Video Generation. See moodle for slides.
• Dec 04: 18: Safe Design. No notes (not on final exam): see Design for Safety by Eva Penzey Moog and available free online via the UMass library.
• Dec 06: Review for final

Reading:

• Slides on moodle are based on: “Creating, Using, Misusing, and Detecting Deep Fakes” by Hany Farid. In Journal of Trust and Safety. Sept 2022.

Final Exam

• UMass policy: https://www.umass.edu/registrar/fall-final-exam-matrix
• Monday December 11, 2023 at 330pm-530pm. Engineering Lab II Room 119. Same rules/policies as the midterm. No electronics, closed notes, leave all backpacks and phones at the front of the room, etc.