IST463: Digital Evidence and Computer Investigation
by Daniel Demenetiev

Syllabus

  1. Lecture notes:
    1. Introduction to Computer Forensics
    2. Understanding Computer Investigation (also read the second chapter from the book)
    3. Lecture 3:
      1. Hexadecimal numbers
      2. LAB: Learning FAT12 with WinHex
    4. Forensically cleaned media
    5. LAB: Working on an evidence floppy disk
    6. Using FTK for the same floppy case
    7. LAB: Working with an evidence CD
    8. Known plain text attack (theory) and performing KnownPlaintext Attack with ZipKey
    9. Turn AutoRun CD on and off
    10. LAB: Flash Card case
    11. FTK Ssearch Lab: please answer the following questions about this hard disk image.
    12. Analysing Windows Registry
    13. LAB: work on the arson case. In this case you may assume that you already acquire the forensic image of the evidence hard drive. As a result you need to present your work journal and FTK report with all the evidence found bookmarked.
  2. Projects and assignments:
    1. Project 1: floppy drive test policy. Due date is Feb 16, 2008 by midnight.
    2. Project 1.5: Forensic image of a floppy disk. Due date is TBA.
    3. Project 2: floppy case report (analysis only). Due date is Saturday, March 1, 2008 by 11:59pm.
    4. Project 3: CD case report (evidence report only). Due date is Saturday, April 12, 2008.
    5. Project 4: Flash card case. Due date is Saturday, April 19, 2008..
    6. Project 5: creating a hard drive "map" from MBRs and boot sectors (in-class project).
    7. Project 6: wiping a hard drive and creating a forensic copy with Solo-3 (in-class project).
    8. Project 7: arson case due before the final exam.
  3. Links to additional information sources: