Course Implementation Plan

  1. Module 1: Introduction to digital forensics
    • Lab 1: Students collect tools for network forensics : Wireshark, Network Miner, Pcapfix
  2. Module 2: Basic technical for digital forensic
    • Lab 2: Students collect tools for computer forensics: FTK Image, Encase, Volatility.
    • Lab 3: Using HexView to view header about JPEG, EXE to understand FILE HEADER.
  3. Module 3: Building environments for digital forensics
    • Lab 4: Prepare tools for lab: FTK, Encase, Volatility Framework, Memdump.
    • Lab 5: Buiding an environment for Computer Forensics, FTK install, Using Encase
  4. Module 4: Collecting evidence
    • Lab 6: Students collect tools for cloning computer, Disk Cloning
    • Lab 7: Collecting evidence: drives, ram. Gathering Evidence Using the Various Tools of DataLifter
    • Lab 8: Using dd for DiskCloning, Gathering Evidence Using the Various Tools of DataLifter
  5. Module 5: Computer forensics
    • Lab 9: FTK capture Registry
    • Lab 10: RAM Capture and Analysis
  6. Module 6: Network forensics
    • Lab 11: Building an environment for network forensics.Wireshark, NetworkMiner.
    • Lab 12: Building an intrusion detection system. Snort
    • Lab 13: Using Snort for Network-Based Forensics

Note:

Toàn bộ tài liệu môn học sẽ được copy trực tiếp cho từng sinh viên trong tuần học đầu tiên, các em chú ý đi học đầy đủ.

Labs

Lab 0: Setting Up an Initial Lab Environment

  • Install Kali (Optional)
  • Get the NIST data leakage case DD image
  • Exam files in the DD image
  • Extract registry files from the DD Image
  • Extract prefetched event log files from the DD Image
  • Extract security event log files from the DD Image
  • Install tree, Install RegRipper 3.0, Windows-Prefetch-Parser

Lab 1: Introduction to Digital Forensics – Autopsy software

  • Windows 10
  • Investigate a USB drive (owned by George Montgomery)
  • Assume we have the image file: https://www.dropbox.com/s/nw23q14vzsykyup/Ch01InChap01.dd (from book Guide to Computer Forensics and Investigations, Sixth Edition)
  • Software: Autopsy
  • Tasks
    • Recover Word files, images
    • Search key words

Lab 2: Data Carving

  • Scenario 1: A file (A) is hidden inside of another file (B). You can’t open the file B because the B’s header is corrupted.
  • Senario 2: A suspect deleted files. The files contains an important information. A file occupies a few clusters. Unfortunately, some clusters are reused (overwritten) by new files.

→ A forensic expert really wants to recover files, even a partial files.

  1. Extracting images from a corrupted Word document
  2. Carving/Recovering a USB image

Lab 3: USB Image Acquisition

  • Download and install FTK
  • Plug in a Flash Drive to your computer. You can copy some files to the USB. Verify your PC can read the USB drive.
  • Acquiring a USB using FTK

→ What to Do Next?

Lab 4: Disk Image and Partitions

Book

  • John Sammons. The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics 2nd Edition, Syngress Publing © 2015.
  • Bill Nelson, Amelia Phillips, Chris Steuart, Guide to Computer Forensics and Investigations Processing Digital Evidence 5th Edition, Cengage Learning © 2016.
  • John Sammons, Lars Daniel. Digital Forensics Trial Graphics: Teaching the Jury Though Effective Use of Visuals, Elsevier © 2017.

URLs