Real Digital Forensics (K.Jones, R. Bejtlich. C.W.Rose). Included as study
material once registered on the course. Assessment. This module is assessed by
a ...
University of London International Academy MSc/PG Dip in Information Security Lead College – Royal Holloway
Digital Forensics IYM015 (Option) Aims The objective of this module is to introduce the foundations of digital forensics, from the discovery to collection and analysis of evidence suitable for use in a court of law or purposes such as documenting compliance. This includes ways in which data is generated, stored, and transmitted in a number of settings including desktop and mobile environments as well as networks. Preserving the integrity of such evidence also in the presence of malware or explicit counter-forensic mechanisms as well as means for discovering the presence of such mechanisms is also covered explicitly.
Pre-requisites None
Learning Outcomes On completion of the module students should:
Essential Reading
Lecture notes are largely self-contained with additional study material for each unit described in the syllabus.
C. Altheide, H. Carvey: Digital Forensics with Open Source Tools, Syngress (2011)
E. Casey: Digital Evidence and Computer Crime, 3rd ed. Academic Press (2011)
Included as study material once registered on the course.
Assessment
This module is assessed by a two hour unseen written examination.
Have an understanding of audit and indirect dynamic activity records retained by operating systems, particularly in file systems Understand selected network protocols, collection and derivation of evidence allowing reconstruction of activities Be able to identify and apply sound forensic practices Be able to identify and counter obfuscation and counter-forensic techniques Have in-depth insight on retention characteristics of storage systems for desktop, mobile, and non-standard computing systems
Syllabus
Unit 1- Introduction
Overview of module and topics covered Introduction to forensic science Legal background, digital forensics and the law Forensic evidence collection and processing Phases of a forensic investigation
Unit 2 – Storage Forensics I
Disk-based storage media Storage device firmware Firmware interactions for storage media FAT file system abstractions and forensics ExFAT extensions and forensics Forensic duplication mechanisms
Unit 3 – Storage Forensics II
Microsoft Windows storage architecture Partition and volume management in Microsoft Windows The Windows NTFS file system and its forensics Encryption mechanisms for file systems and volumes Physical storage artefacts in magnetic media and their recovery
Unit 4 – Host Forensics I
Memory and live forensics Memory image acquisition techniques and their limitations Counter-forensics techniques for memory forensics Non-volatile storage forensics Flash memory and flash file systems problems Host Firmware and forensics interactions
Unit 6 – Selected Aspects of Network Forensics
Host-based network forensic information collection Transient network connection information and connection residues Network Component forensic information collection
Email forensics for standard protocols Interactions of email systems with local and cloud storage
Unit 7 – Malware Forensics
Malware concepts and objectives Malware infiltration strategies for documents and data Malware propagation and counter-forensic evasion techniques Exfiltration mechanisms and covert channels Obfuscation and root kits
Unit 8 – Mobile Device Forensics
Mobile devices in forensic investigations Data sources on mobile devices Low-level physical access and jailbreak mechanisms Android forensics fundamentals Dalvik and ART applications Storage mechanisms on Android and the YAFFS2 file system iOS forensics fundamentals Pairing, iCloud, and other remote access methods Storage encryption on Android and iOS
Unit 9 – Steganography (not examinable)
Microsoft Windows kernel architecture Live forensics for Microsoft Windows systems Microsoft Windows security architecture Access control and auditing systems in Microsoft Windows Virtualisation and its impact on Digital Forensics
Unit 5 – Host Forensics II
Introduction to steganography and steganalysis Steganographic use of file systems Steganographic methods for media data including text, image, and audio data Digital image forensics from sensor identification to photo tampering analysis Video forensics
Unit 10 – Forensic Analysis of Embedded Devices
Geolocation systems forensics Spoofing, jamming, and accuracy of satellite navigation and tracking devices Vehicular systems forensics Event data recorders and their analysis Manipulation of vehicular electronics and their discovery Cloud storage forensics
