CSE4004 Digital Forensics LTPJC 3 0 2 0 4

v.1.1
Objectives  To learn about examination, preventing and fighting digital crimes
 To learn about data acquisition and storing digital evidence
 To explore operating system file structure and file system
 To understand mobile device forensics and acquisition procedures
Expected After successfully completing the course the student should be able to
Outcome 1. Describe the role of a Computer forensics profession for investigation
2. Describe the legal requirements for use of seized data
3. Process crime and Incident scenes
4. Recover data’s in windows environment
5. Perform Investigation on emails
6. Explore current computer forensics hardware and software tools.
7. Discuss the challenges associated with mobile device forensics
Module Topics LHrs SLO
1 Computer Forensics and Investigation -Understanding 6 2
computer forensics, Preparing for Computer Investigations,
Corporate High Tech Investigation
2 Data Acquisition and Recovery – Storage formats, Using 6 4
acquisition tools, Data Recovery: RAID Data acquisition
3 Processing Crime and Incident Scene – Identifying and 9 9
collecting evidence, Preparation for search, Seizing and Storing
Digital evidence
4 Computer Forensics tools (Encase) and Windows Operating 9 9
System – Understanding file structure and file system, NTFS
disks, Disk Encryption and Registry Manipulation. Computer
Forensics software and hardware tools
5 Computer Forensics Analysis and Validation: Data collection 7 2
and analysis, validation of forensics data, Addressing – data
hiding technique
6 Email Investigation and Mobile device Forensics- 6 9
Investigation e-mail crimes and Violations, Using specialized E-
mail forensics tools. Understanding mobile device forensics and
Acquisition procedures.
7 Role of Digital Forensics in Real time applications – 2 5
SANS SIFT Investigative tool, PRO Discover Basic, Voltality,
Sleuth Kit, CAINE investigative environment
8 Industry Trends

Text Books:

1. Bill Nelson, Amelia Philips, Christopher Steuart, “ Guide to Computer Forensics and
Investigations”, Fourth Edition, Cengage Learning,2016

References:
1. David Lilburn Watson, Andrew Jones, “Digital Forensics Processing and Procedures”,
Syngress,2013.
 2. Cory Altheide, Harlan Carvey, “Digital Forensics with Open Source Tools”, British
Library Cataloguing-in-Publication Data,2011.
3. Greg Gogolin,“Digital Forensics Explained”,CRC Press,2013.

Computer Forensics Lab Equipment:

Forensic Tower

To activate Parallel Forensic Technology, the lab must have a centralized Forensic Tower which
provides data duplication, parallel analysis, operating systems emulation and integration with
some forensic analysis software. The forensic tower is a very rich asset in the forensic lab. For
example, it is write blocked by default which makes it an all-in-one solution.

Forensic Toolkit
It is a comprehensive mobile toolkit which contains everything needed to perform a complete
Forensic Acquisition such as Write Blockers, wipers, Hard Drive Duplicators, Power Adapters,
imaging hardware… etc.The computer forensic examiner needs a hardware write blocker to
avoid any altering in the main evidence. The write blocker has many connection types such as
USB, FireWire, SATA and IDE.

Hard Disk Duplicators

The hard disk duplicator copies the source hard disk which contain evidence to another hard disk
or more. In some cases, the speed during the imaging process is critical. The hard disk
duplicator speed is between 4 GB to 9 GB per minute. In addition, some duplicators copy to
more than one hard disk at a time.

Mobile Devices and chargers

The examiner must have various cables and chargers for Mobile Devices. This area can be
further elaborated in another article about mobile forensic devices especially Paraben which has
very attractive products.

Password Recovery tools

Regular users can use any software for password recovery but when it comes to professionals,
the matter is totally different. There are a lot of hardware devices from various providers to
recover passwords from encrypted files using dictionary and bruteforce attack methods. Also you
must have a DNA (Distributed Network Attack) application if you need to use the power of
machines across the network.

Data Recovery
In Forensic labs, it is preferred to have hardware for data recovery which can fix the bad sectors
that were partially corrupted and cannot be imaged through normal software. It can bypass the
operating system or the bios if it tries to prevent you from imaging the corrupted data thus you
will reduce the time and effort when using Data Recovery Hardware.

Wipers

If you need to use the same hard disk in another forensic case you must wipe the data using
wipers (Software or Hardware) to erase the all data from hard disk media.

Spare Parts
The forensic lab must have spare RAM, network cards, hard disks, CD/DVD writers, removable
memory and different types of cables.

Software Required in the PC’s:

Price
Software Details
range
Imaging tool with a write blocker that prevents the operating
Raptor system from mounting the targeted FREE
hard drive.
DD (stands for Open source tool for copying and converting data. It enables to
FREE
Data Duplicator) quickly clone or create exact raw disk images.
Hashcat Open source password cracking tool FREE
John The Ripper Open source password cracking tool FREE
Autopsy/Sleuth
Open source digital forensics tool. FREE
Kit
Great digital forensics tool which has
multiple capabilities: the ability to recover deleted files, collect Professional
OSForensics system information, extract passwords, view active memory, edition
search files and within US$899
files and much more
Encase is traditionally used in forensics to recover evidence
from seized hard drives. Encase allows the investigator to Professional
Encase conduct in depth analysis of user files to collect evidence such edition
as documents, pictures, internet history and Windows Registry US$3594
information.

Lab Environment :Fully patched operating system such as Windows7/8/10 with virtual
machines installed in it.
Lab Exercises (Indicative List)

Exercise 1 : Computer Forensics Investigation Process

The computer forensics investigation process is a methodological approach of preparing for
an investigation, collecting and analyzing digital evidence, and managing the case from the
reporting of the crime until to the case’s conclusion.

Exercise 2: Computer Forensics Lab

Overview of Computer Forensics Lab A computer forensics lab (CFL) is a designated
location for conducting computer-based investigations on collected evidence.

Exercise 3: Understanding Hard Disks and File Systems

While investigating a computer-based crime, it is most important to understand hard disks
and filesystems, as these are the major sources of data storage. People usually delete their
tracks after committing a crime with a computer.

Exercise 4: Windows Forensics

Computer forensics is a broad concept that refers mainly to crimes committed with the use of
computers. Various laws have been passed against cybercrime.

Exercise 5: Data Acquisition and Duplication

Data acquisition is the process of gathering evidence or information. This can be done by
using established methods to acquire data from a suspected storage media to get access to
information about the crime.

Exercise 6: Recovering Files and Partitions

File and partition recovery allows you to recover critically important documents and other
files that have been lost by accidental deletion, intentional deletion to conceal the evidence, a
system crash, due to a virus.

Exercise 7: Forensics Investigation Using Encase

Acquire data from a wide variety of devices, unearth potential evidence with disk level
forensic analysis.

Exercise 8: Steganography and Image file Forensics

The goal of steganography and image file forensics is to find images with steganographic
content and detect hidden content within digital images (image files) in a forensically sound
manner.

Exercise 9: Application Password Cracker

Password-protected files might be a hurdle in the investigation process, as forensic
investigators need to crack the passwords to gain access to the locked files. Password
crackers use two primary methods to identify correct passwords.
 Exercise 10: Log Capturing and Event Correlation
Every device on a network generates some kind of logs for each and every action carried out
on the network. Capturing and analyzing the log files are important tasks for investigating
the security.

Exercise 11: Network Forensics, Investigating log and Network Traffic

Network forensics is the process of identifying criminal activity and the people behind the
crime. Network forensics can be defined as sniffing, recording, acquisition, and analysis of
the network traffic and event logs.

Exercise 12: Tracking and Investigating Email Crimes

Investigating email crimes is the process of tracing, collecting, analyzing, and investigating
the digital evidence and cyber trails. Digital evidence and cyber trails can relate to email
spamming, mail bombing/mail storms.

Exercise 13: Mobile Forensics

Mobile device forensics is a branch of digital forensics relating to recovery of digital
evidence or data from a mobile device under forensically sound conditions.

Digital Forensics

Knowledge Areas that contain topics and learning outcomes covered in the course

Knowledge Area Total Hours of Coverage

CS:IAS(Information Assurance and Security) 28

CE: OPS(Operating System)/CS:OS(Operating 7

Systems)

CE:HCI(Human Computer Interaction) 3

CS:PBD(Platform Based Development) 4

CE:SPR(Social and Professional Issues) 3

Body of Knowledge coverage

[List the Knowledge Units covered in whole or in part in the course. If in part, please indicate
which topics and/or learning outcomes are covered. For those not covered, you might want to
indicate whether they are covered in another course or not covered in your curriculum at all.
This section will likely be the most time-consuming to complete, but is the most valuable for
educators planning to adopt the CS2013 guidelines.]

KA Knowledge Unit Topics Covered Hours

CS: IAS CS:IAS/Digital Forensics Computer Forensics and Investigation - 10

Understanding computer forensics,
Preparing for Computer Investigations,
Corporate High Tech Investigation

CS: IAS CS:IAS/ Security Policy Data Acquisition and Recovery – 8

and Governance Storage formats, Using acquisition tools,
Data Recovery: RAID Data acquisition

CS: IAS CS:IAS/Digital Forensics Processing Crime and Incident Scene – 8

Identifying and collecting evidence,
Preparation for search, Seizing and
Storing Digital evidence
CE: OPS/CS:OS CE:OPS6 Security and
Protection /CE:OPS7 File
Systems/CS:OS Device
Management
Computer Forensics tools (Encase) and 5
Windows Operating System –
Understanding file structure and file
system, NTFS disks, Disk Encryption
and Registry Manipulation.

CS:SP/CE:SPR CS:SP Analytical Computer Forensics Analysis (Encase) 3

Tools/CE:SPR7 and Validation: Data collection and
Computer Crime analysis, validation of forensics data,
Addressing – data hiding technique

CS: IAS/ IAS/ Web Security Email Investigation and Mobile device 5
Forensics- Investigation e-mail crimes
CS:PBD PBD/Mobile Platform and Violations, Using specialized E-
mail forensics tools. Understanding
mobile device forensics and Acquisition
procedures.

CS:HCI/CE:HCI CS:HCI Collaboration Computer Forensics software and 6

and hardware tools
Communication/CE:HCI3
I/O Technologies

Total hours 45

Where does the course fit in the curriculum?

[In what year do students commonly take the course? Is it compulsory? Does it have pre-
requisites, required following courses? How many students take it?]

This course is a

 Elective Course
 Suitable from 5th semester onwards.
 Knowledge of any one programming language is recommended
What is covered in the course?
Module 1: Computer Forensics and Investigation

Introduces you to the history of computer forensics and explains how the use of electronic
evidence developed. It also introduces legal issues and compares public and private sector cases.

Module 2: Data Acquisition and Recovery

Explains how to prepare to acquire data from a suspect’s drive and discusses available
command-line and GUI acquisition tools. It also discusses acquiring data from RAID systems
and gives you an overview of tools for remote acquisitions.

Module 3: Processing Crime and Incident Scene

Explains search warrants and the nature of a typical computer forensics case. It discusses when
to use outside professionals, how to assemble a team, and how to evaluate a case and explains
proper procedures for searching and seizing evidence.

Module 4: Computer Forensics tools (Encase) and Windows Operating System

Discusses the most common operating systems. You learn what happens and what files are
altered during computer startup and how each system deals with deleted and slack space.
Explores current computer forensics software and hardware tools, including those that might not
be readily available, and evaluates their strengths and weaknesses.

Module 5: Computer Forensics Analysis and Validation

Covers determining what data to collect and analyze and refining investigation plans. It also
explains validation with hex editors and forensics software, data-hiding techniques, and
techniques for remote acquisitions.

Module 6: Email Investigation and Mobile device Forensics

Covers e-mail and Internet fundamentals and examines e-mail crimes and violations. It also
reviews some specialized e-mail forensics tools. It also covers investigation techniques and
acquisition procedures for recovering data from mobile devices and provides guidance on
dealing with these constantly changing technologies

Module 7: Recent Trends

What is the format of the course?
This Course is designed with 150 minutes of in-classroom sessions per week, 100 minutes of
Practical’s on the course topics. Generally this course should have the combination of lectures,
in-class discussion, case studies, guest-lectures, mandatory off-class reading material, quizzes
and assignments.

How are students assessed?

 Students are assessed on a combination group activities, classroom discussion, projects,

and continuous, final assessment tests.

 Additional weight age will be given based on their rank in crowd sourced projects/
Kaggle like competitions
 Students can earn additional weightage based on certificate of completion of a related
MOOC course.

Class Topic Covered levels of Reference Remarks

Hour mastery Book
2 Understanding Computer Usage 1
Forensics
2 Preparing for Computer Usage
Investigations
2 Corporate High Tech Usage
Investigation
2 Data Acquisition and Usage 1
Recovery
2 Storage formats Using Familiarity Lab Component
acquisition tools,
2 Data Recovery:RAID Familiarity Lab Component
Data acquisition
3 Processing Crime and 1
Incident Scene
3 Identifying and collecting Familiarity 1 Lab Component
evidence, Preparation for
search
3 Seizing and Storing Familiarity 1 Lab Component
Digital evidence
3 Computer Forensics tools Familiarity 1 Lab Component
(Encase) and Windows
 Operating System –
Understanding file
structure and file system,

3 NTFS disks, Disk Familiarity 1 LabComponent

Encryption and Registry
Manipulation.

3 Computer Familiarity 1
Forensics software and
hardware tools
2 Computer Forensics Familiarity 1 Lab Component
Analysis and Validation:
Data collection and
analysis
3 Validation of forensics Usage 1
data
2 Addressing – data hiding Familiarity 1 Lab Component
technique
2 Email Investigation and Usage 1 Lab Component
Mobile device Forensics-
Investigation e-mail
crimes and Violations,
Using specialized E-mail
forensics tools..
2 Understanding mobile Usage 1
device forensics
2 Acquisition procedures Familiarity 1 Lab Component
2 Recent Trends Usage 1

Approved by Academic Council No.:47 Date: 05.10.2017