EE547 Digital Forensics
Schedule
Wed 13h00-15h30 (lecture in s4214)
Wed 15h30-16h00 (lab in s5104)
References
- B. Carrier. “File System Forensic Analysis”, Addison Wesley, 2005, 569 p.
- M.H. Ligh et al., “The Art of Memory Forensics – Detecting Malware and Threats in Windows, Linux and Mac Memory”, Wiley, 2014, 886p.
- Harlan Carvey, “Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 8”, 4th Edition, Syngress, 2014, 350p.
Resource
| Week | Date | Lecture | References | Others | Laboratories |
| 1 | 10 Sep 25 | Intro to digital forensics (recording) | Carrier §1-3 | Lab setup | |
| 2 | 17 Sep 25 | Volumes and partitions (recording) | Carrier §4-7 | Lab 1 – Intro to X-Ways (due 24 Sep at 13h00) | |
| 3 | 24 Sep 25 | FAT32 file system (recording) | Carrier §8-10 | Lab 2 – Volumes and Partitions (due 1 Oct at 13h00) | |
| 4 | 1 Oct 25 | NTFS file system (recording) | Carrier §11-13 | Lab 3 – FAT32 (due 8 Oct at 13h00) | |
| 5 | 8 Oct 25 | Windows (recording) | Carvey | Lab 4 – NTFS (due 15 Oct at 13h00) | |
| 6 | 15 Oct 25 | Windows (con’t) Linux (recording) | Carvey | Lab 5 – Windows 11 (due 22 Oct at 13h00) | |
| 7 | 22 Oct 25 | Linux (con’t) | Lab 6 – Linux (due 29 Oct at 13h00) | ||
| 8 | 29 Oct 25 | Windows Objects (recording) Process, handles and tokens (recording) | Ligh §1, 3-5 Ligh §6 | Must have selected a research paper | Lab 7 – Malicious Processes (due on 5 Nov at 13h00) |
| 9 | 5 Nov 25 | Process memory internals (recording) | Ligh §7-8 | Lab 8 – Rootkits (due on 12 Nov at 13h00) | |
| 10 | 12 Nov 25 | Kernel forensics and rootkits (recording) | Ligh §13 | Final exercise (Instructions, template) (due on 3 Dec at 13h00) | |
| 11 | 19 Nov 25 | Final exercise (recording) | Final exercise | ||
| 12 | 26 Nov 25 | No class (work on exercise and presentation) | Final exercise | ||
| 13 | 3 Dec 25 | Student presentations (schedule, eval sheet) | |||
| 14 | 10 Dec 25 | No class (end of term) |