You will cover the ways in which data is generated, stored, and transmitted in a number of settings including desktop and mobile environments as well as networks. Preserving the integrity of such evidence also in the presence of malware or explicit counter-forensic mechanisms as well as means for discovering the presence of such mechanisms is also covered explicitly.

Topics covered

• Introduction
• Storage forensics
• Host forensics
• Selected aspects of network forensics
• Malware forensics
• Mobile device forensics
• Steganography (not examinable)
• Forensic analysis of embedded device

Learning outcomes

If you complete the course successfully, you should be able to:

• Have an understanding of audit and indirect dynamic activity records retained by operating systems, particularly in file systems
• Understand selected network protocols, collection and derivation of evidence allowing reconstruction of activities
• Be able to identify and apply sound forensic practices
• Be able to identify and counter obfuscation and counter-forensic techniques
• Have in-depth insight on retention characteristics of storage systems for desktop, mobile, and non-standard computing systems

Assessment

This module is assessed by a two hour unseen written examination.

Essential reading

• C. Altheide, H. Carvey: Digital Forensics with Open Source Tools, Syngress (2011)
• E. Casey: Digital Evidence and Computer Crime, 3rd ed. Academic Press (2011)