CYB 3551 - Digital Forensics

2 lecture hours 2 lab hours 3 credits

Course Description
This course introduces students to the concepts of digital forensics. Digital forensics is a branch of forensic science encompassing the preservation, identification, recovery, investigation, examination, and analysis of material found in digital devices (networks, memory, operating systems files, etc.). Digital forensics can be used to aid in criminal investigations, accident investigations, corporate breach investigations, and other cybersecurity incidents. The course introduces students to acceptable approaches for collecting, analyzing, and reporting data from a forensics investigation. Students will be required to perform several forensics analyses in a controlled lab environment, including acquiring forensically sound hard drive images, memory images and analyzing these using industry standard tools. Students will also be exposed to the types of forensic data that may be left on mobile devices, IoT devices, and other embedded systems, and be able to explain the techniques used on these devices to obtain forensic data.
Prereq: CSC 3210
Note: None
This course meets the following Raider Core CLO Requirement: None

Course Learning Outcomes
Upon successful completion of this course, the student will be able to:

Explain the basic concepts of computer organization
Compare and contrast data storage types within computer systems
Explain the challenges of securely deleting information from modern computer file systems
Discuss the rules, laws, policies, and procedures that affect digital forensics
Discuss the ethical aspects of digital forensics as are applicable to the design of digital devices and conducting forensic activities
Identify when a digital forensics investigation is required and define the appropriate actions that can be taken
Learn proper procedures for preserving, collecting, analyzing, and reporting digital evidence related to a forensic investigation
Understand the concepts related to acquiring a forensically sound image
Acquire a forensically sound image
Identify forensic artifacts left by attacks
Utilize industry-used tools to perform basic digital forensic activities
Identify forensic artifacts left behind by attacks/crimes such as applications logs, filesystem data and metadata, operating system logs, and memory contents
Utilize industry-used tools to analyze and recover digital evidence from various operating systems and types of media and use this information to develop a timeline of user/malicious actor activities
Determine the way an operating system or application has been subverted
Recover "deleted" and/or intentionally hidden information from various types of media
Demonstrate proficiency with handling many kinds of devices

Prerequisites by Topic

Basic familiarity with Linux
Shell scripting
Virual machine usage
Low level file systems exposure

Course Topics

Review of computer organization
Storage media types and operations
Linux kernels and filesystems
Linux distributions
Image formats
Digital investigations
- E-discovery
- Authentication of evidence
- Chain of custody procedures
- Metadata
- Root cause analysis
- Using virtual machines for analysis specializations
Data acquisition
Device forensics
Memory forensics
Operating system forensics
Network forensics
Mobile device forensics
Legal compliance
- Applicable laws
- Affidavits
- How to testify
- Case law
- Chain of custody
Warrants

Laboratory Topics

Review of command line Linux and shell scripting
Linux forensics tools introduction
Evidence collection and duplication
Reading and interpreting file systems
Attaching to real hardware devices
Memory analysis
Network forensics
Secure erase of file systems
Log analysis

Coordinator
Dr. Walter Schilling

Add to Portfolio.

Close Window