152/252 Computer Forensics
The following are absolutely essential to take the course:
- Good moral character. Ability and willingness to respect ethical boundaries.
- Familiarity with at least one type of operating system. (Windows, Unix/Linux,
DOS experience preferred.)
- Some programming
- Access to a computer with Hex editor.
These are desirables:
- Familiarity with OS Theory and Practice.
- Familiarity with Networking.
- Some Knowledge of U.S. Legal System
- John Sammons: The basics of digital forensics: The primer for getting started
in digital forensics, Syngress, ISBN 978-1597496612 (required)
- Brian Carrier: File Systems Forensic Analysis; Addison-Wesley Professional;
1 edition (March 17, 2005) (recommended)
- Ligh, Adari, Hartstein, Richard: Malware Analyst's Cookbook and DVD: Tools
and Techniques for Fighting Malicious Code, Wiley; (recommended)
- Nature of forensic evidence. Email tracing, internet fraud, URL obscuring.
- Evidence collection. Legal issues. Primer on storage systems.
- Hard drive imaging. File systems. Storage systems forensics I.
- Storage systems forensics II.
- Storage systems forensics III.
- Live system investigations.
- Network protocols and analysis.
- Malware and hacking I
- Malware and hacking II
- Incidence response and reporting
- Students will be able to analyze the ethical issues of a forensic problem
using the method put forth by the Markkula Center for Applied Ethics
- Students will know the procedures to properly collect digital forensic evidence
and the importance of preserving chain-of-custody and the use of tested tools.
- Students will understand the legal issues involved in gathering and using
evidence (such as constitutional protections, privacy rights, role of expert
witnesses, witnesses, jury, judge), monitoring, and setting up use-policies.
- Students will understand the principles of disk drive imaging and reconstruction.
- Students will understand and be able to execute a live analysis of a computer
system and understand the benefits and damages done by such a live analysis.
- Students will understand basic network protocols, analyze capture files,
and use common information sources in order to find malware packets.
- Students will be able to document findings and will know about the reporting
requirements by law enforcement agencies and private entities.
A total of at least 50% of all points in the midterm and the final examinations
combined are necessary to pass the course.
Laboratories (weekly and take-home)