Digital Forensics IYM015 (Option)

University of London International Academy MSc/PG Dip in Information Security Lead College – Royal Holloway

Digital Forensics IYM015 (Option) Aims The objective of this module is to introduce the foundations of digital forensics, from the discovery to collection and analysis of evidence suitable for use in a court of law or purposes such as documenting compliance. This includes ways in which data is generated, stored, and transmitted in a number of settings including desktop and mobile environments as well as networks. Preserving the integrity of such evidence also in the presence of malware or explicit counter-forensic mechanisms as well as means for discovering the presence of such mechanisms is also covered explicitly.

Pre-requisites None

Learning Outcomes On completion of the module students should:

Essential Reading



Lecture notes are largely self-contained with additional study material for each unit described in the syllabus.





C. Altheide, H. Carvey: Digital Forensics with Open Source Tools, Syngress (2011)



E. Casey: Digital Evidence and Computer Crime, 3rd ed. Academic Press (2011)



Included as study material once registered on the course.



Assessment



This module is assessed by a two hour unseen written examination.

Have an understanding of audit and indirect dynamic activity records retained by operating systems, particularly in file systems Understand selected network protocols, collection and derivation of evidence allowing reconstruction of activities Be able to identify and apply sound forensic practices Be able to identify and counter obfuscation and counter-forensic techniques Have in-depth insight on retention characteristics of storage systems for desktop, mobile, and non-standard computing systems

Syllabus

Unit 1- Introduction     

Overview of module and topics covered Introduction to forensic science Legal background, digital forensics and the law Forensic evidence collection and processing Phases of a forensic investigation

Unit 2 – Storage Forensics I      

Disk-based storage media Storage device firmware Firmware interactions for storage media FAT file system abstractions and forensics ExFAT extensions and forensics Forensic duplication mechanisms

Unit 3 – Storage Forensics II     

Microsoft Windows storage architecture Partition and volume management in Microsoft Windows The Windows NTFS file system and its forensics Encryption mechanisms for file systems and volumes Physical storage artefacts in magnetic media and their recovery

Unit 4 – Host Forensics I     

   

Memory and live forensics Memory image acquisition techniques and their limitations Counter-forensics techniques for memory forensics Non-volatile storage forensics Flash memory and flash file systems problems Host Firmware and forensics interactions

Unit 6 – Selected Aspects of Network Forensics   

Host-based network forensic information collection Transient network connection information and connection residues Network Component forensic information collection

Email forensics for standard protocols Interactions of email systems with local and cloud storage

Unit 7 – Malware Forensics     

Malware concepts and objectives Malware infiltration strategies for documents and data Malware propagation and counter-forensic evasion techniques Exfiltration mechanisms and covert channels Obfuscation and root kits

Unit 8 – Mobile Device Forensics         

Mobile devices in forensic investigations Data sources on mobile devices Low-level physical access and jailbreak mechanisms Android forensics fundamentals Dalvik and ART applications Storage mechanisms on Android and the YAFFS2 file system iOS forensics fundamentals Pairing, iCloud, and other remote access methods Storage encryption on Android and iOS

Unit 9 – Steganography (not examinable) 

Microsoft Windows kernel architecture Live forensics for Microsoft Windows systems Microsoft Windows security architecture Access control and auditing systems in Microsoft Windows Virtualisation and its impact on Digital Forensics

Unit 5 – Host Forensics II  

 

   

Introduction to steganography and steganalysis Steganographic use of file systems Steganographic methods for media data including text, image, and audio data Digital image forensics from sensor identification to photo tampering analysis Video forensics

Unit 10 – Forensic Analysis of Embedded Devices      

Geolocation systems forensics Spoofing, jamming, and accuracy of satellite navigation and tracking devices Vehicular systems forensics Event data recorders and their analysis Manipulation of vehicular electronics and their discovery Cloud storage forensics

Last updated: May 2016