CS4677 Computer Forensics

This course covers the fundamentals of computer forensics in the context of DoN/DOD information operations. Students examine how information is stored and how it may be deliberately hidden and/or subverted. Coverage includes: practical forensic examination and analysis, techniques of evidence recovery, legal preparation of evidence, common forensic tools, the principle of original integrity, disk examination, and logging.

Prerequisite

CS3600

Lecture Hours

3

Lab Hours

2

Course Learning Outcomes

Upon completion of this course the student is expected to:

  • Understand and define key general terms in digital forensics such as cybercrime, e-discovery, forensic media, Locard’s Principle, forensic tools, forensic acquisition, volatile memory, and secondary storage.
  • Be able to describe key computer-science concepts used in forensics including data encoding schemes, data compression, indexes and trees, data hashing and signatures, statistical distributions, histograms, entropy, cosine similarity between distributions, recall, precision, and F1-scores.
  • Be able to describe the key procedures in forensic acquisition including authorization and warrants, recording of procedures, chains of custody, copying methods, forensic containers, treatment of blank storage, hidden files, line terminators, endianness, write blockers, live-system acquisition, virtual machines, Web crawlers, network packet collection, and password and key recovery.
  • Be able to describe drive volumes, file metadata, timestamp analysis, classification of users from metadata, finding anomalous files, host-based intrusion detection, machine-learning methods for searching data, and use of the Windows Registry.
  • Be able to retrieve files from a drive image with a forensic tool, use file filters like the NSRL, analyze timestamp patterns, analyze file-type distributions, collect personal artifacts like email addresses, phone numbers, and personal names, and assemble file fragments.
  • Be able to perform string search on drives, use histograms to classify text, use stopwords, use destemming, and be familiar with language identification methods.
  • Be familiar with methods for following leads across machines, server and cloud forensics, Web site forensics, and measuring social networks.
  • Be familiar with the key methods of anti-forensics including concealment, obfuscation, system and hardware manipulation, static clues, suspicious software, deception in media, and general deception theory.
  • Be familiar with key legal aspects of forensics including cybercrime laws, privacy laws, intellectual property laws, precedents in case law, search authorization for law enforcement, authentication of digital evidence, affidavits, court testimony with digital forensics, digital forensics in civil cases, and cyberwarfare forensics.