Schedule

This page is a schedule of topics and readings. Lecture notes up before class are drafts, and may be updated sometime following each lecture. Please remember that the notes (when available) are a supplement to, not a replacement for, attending class and taking your own notes. This schedule is approximate, and may change at my discretion (for example, if we spend more time on a particular topic than initially planned).

Each unit in the schedule will be approximately one week (two lectures); some units may take three or four lectures. I will update this schedule and the notes as the semester progresses.

Assignments and due dates are listed separately.

Unit 1: Intro

Topics

  • Basics of Forensics
    • A Motivating Example
    • Data Representation
  • Brief Introduction to Python for Forensics

Lectures

Reading

Carrier, Chapter 1 (and optionally start 3)

Other optional readings and resources

Unit 2: Carving and Exif

  • Carving Data from Files
  • Metadata in Data: EXIF as a case study

Lectures

Reading

Carrier, Chapter 2

Other optional readings and resources

Unit 3: Forensic Science and Law

  • Criminal/Legal Forensics
    • Forensics is science applied to law (G. Sapir, Daubert)
    • Contraband and knowing possession (G. Marin)
    • Indicia of intent (T. Howard)

Lectures

Reading

Other optional readings and resources

Unit 4: Network Investigations I

  • NITs and Tor

Lectures

Reading

Other optional readings and resources

Unit 5: Volumes, Partitions, and FAT

  • Disk Image Acquisition
  • Filesystem Forensics: Master Boot Records (MBRs), GPTs, partitions, volumes
  • FAT Filesystems

Lectures

Reading

  • Carrier, Chapter 3, 4, 5 (through DOS Partitions), Chapter 6 (just GPT Partitions)
  • Carrier, Chapter 8, 9, 10

Optional reading

Volumes and partitions:

FAT:

Unit 6: NTFS

  • NTFS Filesystems

Lectures

Reading

  • Carrier, Chapter 11, 12, 13

Optional reading

Unit 7: Network Investigations II; Malware and Windows Artifacts

  • Wiretapping Technology and Privacy; Email Investigations
  • Malware and Related Legal Issues (The Trojan Horse defense)
  • Windows Artifacts

Lectures

Reading

Optional reading

(The last few units may change as a result of course content updates.)

Unit 8: Cell Phone Forensics

Lectures

Reading

  • S. Garfinkel et al.. Using purpose-built functions and block hashes to enable small block and sub-file forensics [link] [doi link]
  • R. Walls et al., Forensic Triage for Mobile Phones with DEC0DE. [link]
  • S. Varma et al., Efficient Smart Phone Forensics Based on Relevance Feedback [link]

Optional reading

Unit 9: Miscellanea

  • Memory Forensics
  • Image Analysis
  • Practicalities of Expert Witnessing

Lectures

  • Chapter 5 from Smith, F.C., & Bace, R.G. (2002). A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert Technical Witness. Boston, MA: Addison-Wesley. (available from WorldCat)
  • My Cousin Vinny [imdb link]
  • Affadavit from Jayson Street (an example of an expert witness’s output) [pdf]

Final Exam

Our exam is scheduled for:

May 08, 2018
Wednesday
10:30am–12:30pm
Goessman Lab room 20