Schedule

This page is a schedule of topics and readings. Lecture notes will often but not always be posted sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule as the semester progresses.

Assignments and due dates are listed separately.

Unit 1: Intro

Topics

  • Basics of Forensics
    • A Motivating Example
    • Data Representation
  • Brief Introduction to Python for Forensics

Lectures

Reading

Carrier, Chapter 1 (and optionally start 3)

Other optional readings and resources

Unit 2: Carving and Exif

  • Carving Data from Files
  • Metadata in Data: EXIF as a case study

Lectures

Reading

Carrier, Chapter 2

Other optional readings and resources

Unit 3: Forensic Science and Law

  • Criminal/Legal Forensics
    • Forensics is science applied to law (G. Sapir, Daubert)
    • Contraband and knowing possession (G. Marin)
    • Indicia of intent (T. Howard)

Lectures

Reading

Other optional readings and resources

Unit 4: Network Investigations I

  • NITs and Tor

Lectures

Reading

Other optional readings and resources

Unit 5: Volumes, Partitions, and FAT

  • Disk Image Acquisition
  • Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
  • FAT Filesystems

Lectures

Reading

  • Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
  • Carrier, Chapter 8, 9, 10

Optional reading

Volumes and partitions:

FAT:

Unit 6: NTFS

  • NTFS Filesystems

Lectures

Reading

  • Carrier, Chapter 11, 12, 13

Optional reading

Unit 7: Network Investigations II

  • Wiretapping Technology and Privacy; Email Investigations

Lectures

Reading

  • S. Bellovin et al., Going Bright: Wiretapping without Weakening Communications Infrastructure [doi link] [local copy]
  • S. Bellovin et al., Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet [doi link] [local copy]

Optional reading

Unit 8: Malware and Windows Artifacts

  • Malware and Related Legal Issues (The Trojan Horse defense)
  • Windows Artifacts

Lectures

Reading

Optional reading

(The last few units may change as a result of course content updates.)

Unit 9: Cell Phone Forensics

Lectures

Reading

  • S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
  • R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
  • S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]

Optional reading

Unit 10: Miscellanea

  • Image Analysis
  • Storage Technology
  • Practicalities of Expert Witnessing

Lectures

Optional reading

Final Exam

Our exam is scheduled for:

May 09, 2018
Wednesday
10:30am–12:30pm
Hasbrouck Addition Laboratory 124

Please note (from the Academic Rules and Regulations):

…it is University policy not to require students to take more than two final examinations in one day of the final examination period. If any student is scheduled to take three examinations on the same day, the faculty member running the chronologically middle examination is required to offer a make-up examination if the student notifies the instructor of the conflict at least two weeks prior to the time the examination is scheduled. The student must provide proof of the conflict. This may be obtained from the Registrar’s Office, 213 Whitmore.