CS 798 - Digital Forensics and Incident Response - Winter 2024
Syllabus
| Instructor | Diogo Barradas | |
| diogo.barradas@uwaterloo.ca | ||
| Lecture times | 10:00-11:20TTh | |
| Office Hours | 10:00-11:00M in DC 2631 | |
Note that all times for this course are specified in Eastern Time (the timezone of Waterloo and Toronto).
Course Description
The goal of this course is to expose students to the core forensic methodologies required for acquiring, preserving, and analyzing digital evidence in the context of investigations related to computer crimes. Students will become aware of the main technical and legal issues involved in the preservation of evidence in light of the Canadian cybercrime law, and will gain expertise in a range of computer forensics tools required for collecting and analyzing digital evidence gathered from multiple sources, including file systems, volatile memory, and network traffic. Know-how of the above procedures and tools will prepare students to become active players in the handling and response to computer security incidents.
Course Outline
- • Module 1: The digital investigation process
- • Module 2: File system forensics
- • Module 3: Memory and OS forensics
- • Module 4: Network forensics
- • Module 5: Anti-forensic techniques
- • Module 6: Mobile and cloud forensics
- • Module 7: Incident response
Grading Scheme
Grades for this course will be calculated as follows:
| 60% | Assignments (20%, 20%, 20%) |
| 40% | Final exam |
Final grades will be available after the end of term through LEARN.
Assignments:
The three assignments are expected to be completed in groups (2 students). The assignments are based on practical exercises and are focused on solving different stages of a mock digital forensics investigation. Students will leverage the knowledge and techniques presented in the lectures for completing the assignments.
The assignments are due at 3:00 pm Eastern Time on their respective due dates. We do NOT accept any late assignment submissions, unless you have a legitimate reason with formal proof (e.g. hospitalization, family urgency, etc.). Traveling, busy with other stuff, or simply forgetting to submit, are not considered legitimate.
Final exam:
The final exam is solved individually and is written-only (no programming involved). It covers material from the whole term. You have 2 hours and 30 minutes to complete the set of questions.
If your score in the final exam is below 45%, you cannot pass the course.
The final exam will be administered on campus in accordance with University policies. The exact date and time of the final exam is yet to be scheduled by the Registrar office, we will update the syllabus once we receive more details.
If you anticipate a problem with taking the final exam, contact the course instructors as early as possible. In order to receive accommodation for the final exam, you must obtain a Verification of Illness Form that has been filled out by a physician. If the final exam is already written, no special action will be taken if you decide afterward that you did not do a good job due to illness.
If you are unable to write the final exam due to illness, you should seek medical treatment and provide confirmation of the illness to the instructors within 48 hours by submitting a completed Verification of Illness Form to support your request. The Verification of Illness Form is normally the only acceptable medical documentation and is available online. You will receive an INC (incomplete) grade and you need to write the final exam in a subsequent term in order to complete the course.
Textbooks
Primary Bibliography
- •Eoghan Casey - Digital Evidence and Computer Crime, 3rd edition, Academic Press, 2011, ISBN: 978-0-123-74268-1 (hardcopy), 978-0-080-92148-8 (eBook)
- •Brian Carrier - File system forensic analysis, 1st edition, Safari Tech Books Online, 2005, ISBN: 0-13-443954-6 (hardcopy), 0-321-26817-2 (eBook)
- •Jason Luttgens, Matthew Pepe, Kevin Mandia - Incident Response & Computer Forensics, 3rd edition, McGraw-Hill Education, 2014, ISBN: 0-07-179868-4 (hardcopy), 0-07-179869-2 (eBook)
Secondary Bibliography
- •Neil F. Johnson, Zoran Duric, Sushil Jajodia - Information Hiding: Steganography and Watermarking - Attacks and Countermeasures, 1st edition, Springer, 2001, ISBN: 978-0-7923-7204-2 (hardcopy), 978-1-4615-4375-6 (eBook)
- •Rohit Tamma, Oleg Skulkin, Heather Mahalik, Satish Bommisetty - Practical Mobile Forensics, 4th Edition, Packt Publishing, 2020, ISBN: 1-83864-442-3 (hardcopy), 1-83864-752-X (eBook)
- •Darren Quick, Ben Martini, Kim-Kwang Raymond Choo- Cloud Storage Forensics, 1st edition, Syngress, 2014, ISBN: 0-12-419970-4 (hardcopy), 1-306-15439-1 (eBook)
- •Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, Krzysztof Szczypiorski - Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures, 1st edition, Wiley, 2016, ISBN: 978-1-1188-6169-1 (hardcopy), 978-1-1190-8183-8 (eBook)
Optional readings/resources
Optional resources will be listed on each lecture's slides.
Communication
Please direct all communication to the Piazza discussion forum.
This includes questions about materials in lectures, assignments, and general logistics.
It is your responsibility to keep up with all course-related information posted to LEARN,
the course Piazza forum, and the course website.
Etiquette:
Please go through your peers' and the instructors/TAs' notes or comments, before posting a question. If question doesn't exist and it involves private content (query about grades, partial progress towards solution), then create a private question that is only visible to the instructors and TAs. (The instructor(s) or TAs may make a private question public, possibly after editing it, if they decide that it is of general interest.) Otherwise, in general, create a public one so that your peers can benefit too. Tag your question with the appropriate folder for the assignment, etc.Email:
Important course information will generally be posted to LEARN, but may also be sent to your uwaterloo.ca email address. For personal matters, such as an illness, please email the instructors directly. We will only reply back to email from your uwaterloo.ca email address, for privacy rules.General University Policy
Academic Integrity: In order to maintain a culture of academic integrity, members of the University of Waterloo community are expected to promote honesty, trust, fairness, respect and responsibility. Check the Office of Academic Integrity's website for more information.
All members of the UW community are expected to hold to the highest standard of academic integrity in their studies, teaching, and research. This site explains why academic integrity is important and how students can avoid academic misconduct. It also identifies resources available on campus for students and faculty to help achieve academic integrity in — and out — of the classroom.
Grievance: A student who believes that a decision affecting some aspect of his/her university life has been unfair or unreasonable may have grounds for initiating a grievance. Read Policy 70 — Student Petitions and Grievances, Section 4. When in doubt please be certain to contact the department's administrative assistant who will provide further assistance.
Discipline: A student is expected to know what constitutes academic integrity, to avoid committing academic offenses, and to take responsibility for his/her actions. Check the Office of Academic Integrity for more information. A student who is unsure whether an action constitutes an offense, or who needs help in learning how to avoid offenses (e.g., plagiarism, cheating) or about "rules" for group work/collaboration should seek guidance from the course professor, academic advisor, or the Undergraduate Associate Dean. For information on categories of offenses and types of penalties, students should refer to Policy 71 — Student Discipline. For typical penalties, check Guidelines for the Assessment of Penalties.
Avoiding Academic Offenses: Most students are unaware of the line between acceptable and unacceptable academic behaviour, especially when discussing assignments with classmates and using the work of other students. For information on commonly misunderstood academic offenses and how to avoid them, students should refer to the Office of Academic Integrity's site on Academic Misconduct and the Faculty of Mathematics Cheating and Student Academic Discipline Policy.
Appeals: A decision made or penalty imposed under Policy 70, Student Petitions and Grievances (other than a petition) or Policy 71, Student Discipline may be appealed if there is a ground. A student who believes he/she has a ground for an appeal should refer to Policy 72, Student Appeals.
Note for Students with Disabilities
AccessAbility Services, located in Needles Hall, Room 1401, collaborates with all academic departments to arrange appropriate accommodations for students with disabilities without compromising the academic integrity of the curriculum. If you require academic accommodations to lessen the impact of your disability, please register with AccessAbility at the beginning of each academic term.
Coronavirus Information and Resources
- Library COVID-19: Updates on library services and operations
- Coronavirus Information for Students This resource provides updated information on COVID-19 and guidance for accommodations due to COVID-19.
Mental Health Support
All of us need a support system. We encourage you to seek out
mental health supports when they are needed. Please reach out to Campus
Wellness and Counselling Services.
We understand that these circumstances can be troubling, and you
may need to speak with someone for emotional support. Good2Talk is
a post-secondary student helpline based in Ontario, Canada that is
available to all students.
Territorial Acknowledgement
We acknowledge that we live and work on the traditional territory of the Attawandaron (Neutral), Anishinaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, the land promised to the Six Nations that includes ten kilometres on each side of the Grand River.