IA/0129/EN - COMPUTER FORENSICS TECHNIQUES
Academic Year 2020/2021
Free text for the University
DAVIDE MAIORCA (Tit.)
- Teaching style
- Lingua Insegnamento
|[70/90] COMPUTER ENGINEERING, CYBERSECURITY AND ARTIFICIAL INTELLIGENCE||[90/00 - Ord. 2018] PERCORSO COMUNE||5||50|
The course of Computer Forensics Techniques provides the students with specific skills in the field of Digital Forensics Analysis and Investigation through an in-depth study of the systems and of the best forensic investigation techniques. Such techniques can be employed to recover digital evidence as proof that can be produced during a legal trial.
The provided knowledge will give students a general vision on the aspects of Digital Forensics that, specifically, will concern topics of Computer Forensics Techniques, Mobile Forensics Analysis, Digital Investigation and OSINT for Digital Forensics Intelligence. In particular, the aforementioned modules provide horizontal knowledge for modern operating systems and file-system, to explore more techniques of data, network, and memory analysis.
The proposed laboratories will be provided through an e-learning platform and will give the students practical skills that, together with the theoretical ones, will make them autonomous for the activities of Digital Forensics Analysis. In this context, more attention will be given to analysis techniques that are specific for Windows, Linux, and Android, thus allowing students to employ the techniques and the tools available for the considered systems, in order to maximize the probabilities of a successful forensic analysis.
Accordingly to the Dublin Descriptors, the goals of the course are the following:
Knowledge and understanding:
- Having general knowledge on the methodological and technical aspects in the field of Digital Forensics;
- Having knowledge of the practical tools employed to carry out forensic analyses;
- Being able to properly use the various distributions of the system, in particular in the Unix/Linux setting.
Applying knowledge and understanding
At the end of the course, the students shall be able to perform the following:
- Being able to apply forensic investigation tools to a wide variety of devices, both Desktop/Laptop and Mobile (smartphones, tablets);
- Being able to exploit the different characteristics of the operating systems in relation to the type of forensic activities that the analyst wants to carry out;
- Acquiring the investigative capabilities to operate in the field of Digital Investigation through the creation of Virtual Identities;
- Being able to provide efficient reports according to clarity criteria, which are necessary to present evidence that is valid in the context of a trial.
At the end of the course, students will be able to perform the following:
- Being able to evaluate the forensic scenarios on which they operate and making a correct analysis for the activities that will follow;
- Being able to choose the necessary tools (Open Source or Commercial) to proceed with the extraction of digital evidence.
At the end of the course, students shall be able to illustrate and discuss the various phases of the forensics activities, according to the proposed court cases.
The course will give the student the possibility to widen and acquire the use of new forensic tools through the reading of technical documentation and operating guides.
The following prerequisites are necessary:
- Basic knowledge of the main distributions of Operating System, with a particular focus on Unix/Linux, their commands and processes;
- Knowledge of the structure of different file-system types contained in storage supports.
The course is structured in modules, described as follows:
- MODULE 1 - INTRODUCTION (5 hours)
- MODULE 2 - COMPUTER FORENSICS TECHNIQUES (9 hours)
- General Computer Forensics concepts;
- Analysis and profiling of cases;
- Tools for forensics analysis (The Sleuth Kit);
- Preparation of environments for forensics analyses;
- Creation of a simulated test;
- Acquisition and basic analysis of legal evidence;
- Reporting activities and chain of custody;
- Case study and Labs.
- MODULE 3 - DIGITAL INVESTIGATION (9 hours)
- Methodological aspects in the field of Digital Forensics and Investigation;
- Figures and roles of the subjects that operate in the field of Digital Investigation;
- Undercover Virtual Identities;
- Chain of custody of the gathered evidence;
- Reporting techniques.
- MODULE 4 – OSINT FOR DIGITAL FORENSIC INTELLIGENCE (9 hours)
- General aspects of the Internet;
- OSINT tools;
- Analysis of evidence gathered from the network;
- Techniques for searching and extracting evidence from the network.
- MODULO 5 – MOBILE FORENSICS ANALYSIS (9 hours)
- General aspects of Mobile Forensics;
- Detailed aspects of Android and IOS systems;
- Techniques to analyze, verify and extract data from mobile devices: smartphone, tablets (e.g., write blocking, device isolation, etc.);
- Data analysis with commercial and free software (Oxygen, Axiom, UFED).
- MODULO 6 – LIVE MEMORY FORENSICS (9 hours)
- General aspects of the analysis of RAM in a device;
- Introduction to the forensic tool Volatility;
- Practical lab activities.
The teaching is organized with:
- Frontal lectures supported by graphical presentations;
- Labs and materials that can be accessed through the e-learning platform (elearning.unica.it/);
- Practical sessions with devices and memory images analyze (e.g., smartphones, hard disks).
Verification of learning
The verification of learning will be held in the following ways:
- Through the development of 4 "homework" (each of them having a yielding a score between 0 and 6), which must be completed and sent by students when they want, but before the final oral test (see the next point);
- Through a final oral test (which yields a score between 0 and 8). This test can be taken only after having completed the previous four homework.
The four homework will concern the following topics:
- The analysis of a piece of evidence acquired with forensics tools (e.g., a memory image);
- The discussion of concepts related to the management of Virtual identities;
- The usage of Open Source Intelligence (OSINT) techniques;
- The analysis of a memory image acquired from mobile devices.
The oral test is composed of a single question, which has the aim of discussing a case study through the different phases of the forensic process.
The maximum score is equal to 32. In the case of score equal to 32, the final mark is 30 cum laude.
The oral test is composed of three questions, each of them yielding a score between 0 and 4. Two of the three questions will concern theoretical topics, and the last one will concern a discussion of a case study.
The maximum overall score is 32 points. If the student achieves 32 points, the overall mark will be 30 cum laude.
J. Sammons. The Basics of Digital Forensics, Syngress.
R. Boddington. Practical Digital Forensics, Packt Publishing.
The course is organized as follows:
- Frontal or remote lectures (in relation to specific needs) with the support of graphical presentation or other material;
- The use of the e-learning platform (https://elearning.unica.it) to access materials and labs;
- Practical labs that can be accessed through the e-learning platform, which are specific for each module;
- Additional seminars