4 credit/unit hours – Four hours of lecture weekly; one term

In this course, students perform detailed forensic analyses and produce forensic reports of findings on a series of compromised and/or seized system images, using tools for distributed data collection, imaging and forensics. Students will also examine host/network-level data, as well as mobile device data, while systematically determining what happened and how. Students will use both open-source and court-approved digital forensic software tools to conduct forensic examinations.

Learning Objectives

Upon completion of this course the student will be able to:

  • Demonstrate the proper use of the AccessData (FTK) tool suite, data carving tools, and various Linux utilities to create a forensic image and analyze it;
  • Use the Linux utility dd and a hexadecimal viewer to recover several deleted files from various file systems (e.g., FAT, VFAT);
  • Identify components of the Microsoft Windows Registry;
  • Describe forensic procedures for digital investigations of mobile devices and email; and
  • Debate ethical concerns for expert witnesses associated with digital investigations

Main Topics

1.0 Data acquisition and validation

2.0 Linux and Mac file structures

3.0 Graphic file formats

4.0 AccessData tool suite

5.0 Microsoft Windows Registry

6.0 Mobile device forensics

7.0 Email forensics

8.0 Cloud forensics

9.0 Ethical responsibilities of an expert witness