2024-2025 / INFO8012-1

Digital Forensics

Durée

30h Th, 12h Labo., 30h Proj.

Nombre de crédits

 Master en sciences informatiques, à finalité spécialisée en "computer systems security" (années paires, organisé en 2024-2025) 5 crédits  
 Master en sciences informatiques, à finalité spécialisée en "computer systems security" (double diplômation avec HEC) (années paires, organisé en 2024-2025) 5 crédits  
 Master : ingénieur civil en informatique, à finalité spécialisée en "management" (années paires, organisé en 2024-2025) 5 crédits  
 Master : ingénieur civil en informatique, à finalité spécialisée en "intelligent systems" (années paires, organisé en 2024-2025) 5 crédits  
 Master en sciences informatiques, à finalité spécialisée en "management" (années paires, organisé en 2024-2025) 5 crédits  
 Master : ingénieur civil en informatique, à finalité spécialisée en "computer systems security" (années paires, organisé en 2024-2025) 5 crédits  
 Master : ingénieur civil en informatique, à finalité spécialisée en "computer systems security" (double diplômation avec HEC) (années paires, organisé en 2024-2025) 5 crédits  
 Master en sciences informatiques, à finalité spécialisée en "intelligent systems" (années paires, organisé en 2024-2025) 5 crédits  

Enseignant

Benoît Donnet, Laurent Mathy

Langue(s) de l'unité d'enseignement

Langue anglaise

Organisation et évaluation

Enseignement au deuxième quadrimestre

Horaire

Horaire en ligne

Unités d'enseignement prérequises et corequises

Les unités prérequises ou corequises sont présentées au sein de chaque programme

Contenus de l'unité d'enseignement

On one hand, a Digital evidence refers to any probative information stored or transmitted in digital form that a party to a court case may use at trial (e.g., emails, digital photos, ATM transaction logs, databases backups, ...).  On the other hand, digital forensics is a branch of forensic science concerned with the proper acquisition, preservation, and analysis of digital evidence, typically after an unauthorized access or use has taken place.  Digital forensics follows the goal to explain the current state of a digital artifact.

This course aims at providing a first look at digital forensics, in particular focusing on network forensics (i.e., monitoring and analyzing network traffic), computer data forensics (i.e., flash, HDD, USB device), and mobile devices forensics (i.e., collect digital evidence from mobile devices).

Table of Content:

Part 0: Administrative Details (B. Donnet)

Part 1: Digital Forensics Methodology (B. Donnet)

  • Chap. 1: Generalities
  • Chap. 2: Sources of Evidences
  • Chap. 3: Evidence Acquisition
Part 2: Network Forensics (B. Donnet)

  • Chap. 1: Deep Web
  • Chap. 2: Email Forensics
  • Chap. 3: Traffic and Packet Analysis
  • Chap. 4: Wireless and Mobile Network Investigation
Part 3: Computer Data Forensics (L. Mathy)

  • Chap. 1: File System Forensics
  • Chap. 2: FAT File System
Part 4: Reversing (L. Mathy) 


 

Acquis d'apprentissage (objectifs d'apprentissage) de l'unité d'enseignement

Upon completing this course, students are expected to:

  • understand the basics of computer data and network forensics
  • acquire hands-on practice on digital forensics investigation
  • be prepared for active research at the forefront of this area.
Ce cours contribue aux acquis d'apprentissage I.2, II.2, III.1, III.4, IV.3, IV.4,
VI.1, VII.1, VII.6 du programme d'ingénieur civil en informatique.  

Savoirs et compétences prérequis

Students are supposed to have a good knowledge of basic Computer Networking (INFO0010 or assimilated) and of basic Operating Systems (INFO0940 or assimilated).
It is not required to have any knowledge in Computer Security

Activités d'apprentissage prévues et méthodes d'enseignement

The course is organized as follows

  • Lectures (30hours) describing in details the theoretical and practical aspects of the course
  • Lab sessions (10h) to be done individually.  Each lab ends with a small report to complete (a simple text file to fill in with answers or pieces of code).

Mode d'enseignement (présentiel, à distance, hybride)

If possible, face-to-face lectures will be organized, in addition to lab sessions and assignments (carried out remotely).
According the CoVID19 pandemia evolution, it is still possible that the course will be reorganized remotely (WebEx/Collaborate virtual classes, podcast, ...)
The course is entirely given in English.

Supports de cours, lectures obligatoires ou recommandées

Slides, as well as assignments and labs subjects, are available on the course Web Site.

The course has been built based on those books:

  • E. Casey.  Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet.  3rd Edition, Academic Press.  May 2011.
  • R. C. Neuman.  Computer Forensics: Evidence Collection and Preservation.  EC Council Press.  2010.
  • S. Davidoff, J. Ham.  Network Forensics: Tracking Hackers Through Cyberspace.  Prentice Hall.  May 2012.
  • M. Robinson.  Digital Forensics Workbook: Hands-on Activities in Digital Forensics.  WorkBook Edition.  October 2015.
  • B. Carrier.  File System Forensic Analysis.  Ed. Addison-Wesley.  2005.
  • N. A. Mikus.  An Analysis of Disc Carving Techniques.  MS Thesis.  Naval Postgraduate School.  2006.  See https://calhoun.nps.edu/bitstream/handle/10945/2219/05Mar_Mikus.pdf?sequence=1
  • D. Farmer, W. Venema.  Forensic Discovery.  Ed. Pearson Education.  2009.  Chapter 5.  
  • A. Hoog.  Android Forensics: Investigation, Analysis, and Mobile Security for Google Android.  Ed. Syngpress.  June 2011.
  • M. K. Bergman.  The Deep Web: Surfacing Hidden Value.   White Paper.
  • T. V. Lillard, C. P. Garrison, C. A. Schiller, J. Steele.  Digital Forensics for Network, Internet, and Cloud Computing. Ed. Elsevier.  2010 

Modalités d'évaluation et critères

Examen(s) en session

Toutes sessions confondues

- En présentiel

évaluation orale

Evaluation continue


Informations complémentaires:

The evaluation is twofold:

  • Labs are evaluated (a simple text file to fill in during/right after the lab with students' answers).  They account for 40% of the final grade.
  • The oral exam (on the theoretical part of the course) accounts for 60% of the final grade.  Note that the oral exam will require the student to answer to only one question (based either on material reviewed by L. Mathy, or by B. Donnet).
Presence at labs is mandatory. Attending all labs and doing both assignments are required for attending the oral exam.  In case of Lab absence, the student will receive an "Absence" grade (and automatically be postponed to the resit).

In case of failure in June: All grades strictly below 10/20 must be presented during summer (labs and/or oral exam). Labs must be submitted for the 1st day of the resit, on the submission platform. Presenting all grades below 10/20 in the resit is mandatory (otherwise, an absence grade is assigned)

As the course is given every two years, in case of (definitive) failure, the student will have to do  the oral exam + labs the following year.

Stage(s)

Remarques organisationnelles et modifications principales apportées au cours

The course is proposed every 2 years (given during Academic Year 2022-2023).

The course is given during the second semester

Contacts

Professors:

  • Benoit Donnet (office 1.87b/B28)
  • Laurent Mathy (office 1.15/B37)
TA:

  •  Vincent Jacquot

Association d'un ou plusieurs MOOCs

Notes en ligne

Course Web Site
The course web site contains PDF of the slides, labs/assignments subjects, details about gradings, and the course agenda.  It also allows students to interact with the Pedagogical Team through the Discussion forum.