Skip to Content - Skip to Navigation

COSC 429: Digital Forensics

Prerequisites: COSC 110 or equivalent programming course, junior standing, or permission of instructor.

Takes a detailed hands-on approach to the use of computer technology in investigating computer crime. From network security breaches to child pornography, the common bridge is the
demonstration that particular electronic media contains incriminating evidence.

Using modern forensics tools and techniques, students learn how to conduct a structured investigation process to determine exactly what happened and who was responsible and to perform this investigation in such a way that the results are useful in criminal proceedings. Real world case studies will be used to provide a better understanding of security issues. Unique forensics issues associated with various operating systems including Linux/Windows operating systems and associated applications are covered. 

Course Outcomes:

Upon completion of this course, students will be able to:

  1. Explain digital forensics and investigations on digital media.
  2. Identify relevant electronic evidence associated with various violations of specific laws, including, but not limited to, computer crimes.
  3. Locate and recover relevant electronic evidence from digital media using a variety of tools.
  4. Identify and articulate probable cause as necessary to obtain a warrant to search for electronic artifacts and recognize the limits of warrants.
  5. Explain the principles and practice of ethics and law for computer forensics investigators.
  6. Explain how to manage/conduct a computer crime investigation involving digital media.
  7. Follow a documented investigation process.
  8. Present the evidence and conclusions of an investigation in a report form.
  9. Describe core computer science theory necessary to perform computer forensics.

Course Outline

  1. Fundamentals of digital forensics (3 hrs)
    • Introduction to digital forensics
    • Digital evidence and investigations
    • Real life examples of computer crime
    • Challenging aspects of digital forensics
  2. Computer crime investigation process (3 hrs)
    • The Investigation process
    • Preparing a computer investigation
    • Systematic approach to an investigation
    • Procedures for corporate high-tech investigation
    • Conducting an investigation
  3. Digital evidence acquisition. (3 hrs)
    • Implications of related law
      1. The 4th Amendment to the US Constitution and its application to computer/network search and seizure
      2. The implications of the Electronic Communications and Privacy Act, the US Patriot Act, US Federal and State guideline
      3. Methods of ensuring chain of custody of evidence
    • Processing crime and incident scenes
      1. Rules for acquiring digital evidence.
      2. Collecting evidence at private-sector incident scenes.
      3. Steps in preparing for evidence search.
      4. Performing a digital hash.
    • Process of digital evidence acquisition
      1. Procedures for digital evidence acquisition
      2. Digital evidence storage formats
      3. Acquisition tools
      4. Validating data acquisitions
      5. RAID acquisition methods

      First Exam (1 hr)

  4. Computer science theory behind computer forensics (4 hrs)
    • Windows and DOS file systems
      1. Microsoft file structures
      2. The structure of NTFS disks
      3. Windows Registry
      4. Microsoft and DOS start-up tasks
      5. Forensics analysis in Window

      1. Live response
      2. Response data analysis

    • Linux boot processes and file systems
      1. UNIX and Linux disk structures
      2. UNIX and Linux boot processes.
      3. Other disk structures.
      4. Forensics analysis in Linux
  5. Methods for performing evidence examination (4 hrs)
    • Evidence examination procedure
      1. Physical/logical extraction
      2. Analysis of extracted data
      3. Data hiding techniques
    • Recovering graphics files
      1. Types of graphics file formats.
      2. Types of data compression.
      3. Locating and recovering graphics files.
      4. Identifying unknown file formats.
      5. Copyright issues with graphics.

      Second Exam (1 hr)

    • E-mail Investigations.The role of e-mail in investigations
      1. Client and server roles in e-mail
      2. Tasks in investigating e-mail crimes and violation
      3. The use of e-mail server logs.
      4. Available e-mail computer forensics tools.Cell Phone and mobile device forensics
    • Basic concepts of mobile device forensics
      1. Procedures for acquiring data from cell phones and mobile device
  6. Evidence presentation (2 hrs)
    • Procedures for documenting and reporting
    • Guidelines for writing reports.
    • Using forensics tools to generate reports
  7. Ethical issues for computer forensics (3 hrs)
    • Expert Testimony in High-Tech Investigations
    • Guidelines for giving testimony as a technical/scientific or expert witness.
    • Guidelines for testifying in court.
    • Guidelines for testifying in dispositions and hearings.
    • Procedures for preparing forensics evidence for testimony incident.

Total: 42 hours

Evaluation Methods

The final grade will be determined by:

Three Exams:                                                     45%

Group Project including final presentation:             40%

Laboratory Projects:                                            15%

Grading Scale 

A:   >90 %

B:   80-89%

C:   70-79%

D:   60-69%

F:   <60%

Attendance Policy

The attendance policy will follow the guidelines as is given in the IUP Handbook.

Required textbook(s):

Nelson B, Phillips A, Enfinger F, Steuart C, Guide to Computer Forensics and Investigations, 4thedition, Course Technology, 2010.

Bibliography 

  1. Nelson B, Phillips A, Enfinger F, Steuart C. Guide to Computer Forensics andInvestigations, 3rd edition, Course Technology, 2010.
  2. Jones, Keith J. Forensic Analysis of Internet Explorer Activity Files, http://umn.dl.sourceforge.net/sourceforge/sourceforge/odessa/IE_Cookie_File_Reconstruction.pdf.
  3. Morris, Jamie. Forensics on the Windows Platform,Part One, http://www.securityfocus.com/infocus/1661.
  4. Cheng, Derek. Freeware Forensics Tools for Unix, http://www.securityfocus.com/infocus/1503.
  5. Leuenberger, Adrian.  Win32 -Evidence Gathering, Apr 2004, http://www.csnc.ch/static/download/misc/2004_win32_forensics_v1.1.pdf.
  6. Barish, Stephen. Windows Forensics - A Case Study: Part One, SecurityFocus InFocusArticle, Dec 2002, http://www.securityfocus.com/infocus/1653.
  7. Barish, Stephen. Windows Forensics - A Case Study: Part Two, SecurityFocus InFocusArticle, Mar 2003, http://www.securityfocus.com/infocus/1672.
  8. EC-Council, Computer Forensics: Hard Disk and Operating Systems, 1st Edition, Course Technology, 2010.
  9. EC-Council, Computer Forensics: Investigating Data and Image Files, 1stEdition, Course Technology, 2010.
  10. Willassen, Svein Yngvar. Forensics and the GSM mobile telephone system, International Journal of Digital Evidence, Spring 2007, http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-7CF86A78D6DE746D.pdf.
  11. Collins, Max Allan. CSI: Body of Evidence, Pocket Books, 2003.
  12. Prosecuting Computer Crimes, Computer Crime &Intellectual Property Section, United States Department of Justice. http://www.cybercrime.gov/ccmanual/index.html.
  13. Searching and Seizing Computers and ObtainingElectronic Evidence in Criminal Investigations, Computer Crime and Intellectual Property Section Criminal Division United States Department of Justice, 2002. http://www.usdoj.gov/criminal/cybercrime/searching.html.
  14. Jonse  J, Bejtlich R, Rose C. Real Digital Forensics, Addison Wesley, 2006.
  15. Davis C, Philipp, A, Cowen, D. HackingExposed, Computer Forensics, McGraw Hill, 2005.
  1. Altheide, C. Forensic Analysis of Windows Hosts using UNIX-based Tools. Digital Investigation, Sept2004, 197-212.
  2. Carlin, A., Curl, S., Manson, D. To catch a thief: Computer forensics in the classroom. In Proceedings of the 22nd Annual Information Systems Educators Conference, Association of Information Technology Professionals, Chicago, IL, 2005.
  3. Harrison, W. 2004. The digital detective: An introduction to digital forensics. In Advances in Computers, vol. 60, Academic Press.
  4. Yasinsac, A., Erbacher, R., Marks, D., Pollitt, M. Computer forensics education. IEEESecurity & Privacy, July/Aug. 2003, 15-23
  • Computer Science Department
  • Stright Hall, Room 319
    210 South Tenth Street
    Indiana, PA 15705
  • Phone: 724-357-2524
  • Fax: 724-357-2724
  • Office Hours
  • Monday through Friday
  • 7:30 a.m. – 12:00 p.m.
  • 1:00 p.m. – 4:00 p.m.