CS 410 Top: Introduction to Digital Forensics

Credit Hours: 4
Course Coordinator: Warren Harrison
Course Description: This course takes a detailed, hands-on approach to the investigation of incidents in which computers or computer technology play a significant or interesting role. Students completing this course will be familiar with the core computer science theory and practical skills necessary to perform rudimentary computer forensic investigations, understand the role of technology in investigating computer-based crime, and be prepared to deal with investigative bodies at a rudimentary level.
Prerequisites: Undergraduate classes in operating systems, algorithms, and software engineering, or instructor’s permission. No prior background in criminal justice or law is assumed.
Goals: Upon the successful completion of this course students will be able to:
  1. Identify relevant electronic evidence (both inculpatory and exculpatory) associated with various violations of specific laws, including, but not limited to, computer crimes.
  2. Locate and recover relevant electronic evidence from Linux and Windows systems using a variety of tools.
  3. Identify and articulate probable cause as necessary to obtain a warrant to search for electronic artifacts, and recognize the limits of warrants
  4. Recognize and maintain a chain of custody of electronic evidence.
  5. Follow a documented forensics investigation process.
Textbooks:
  • Computer Forensics and Privacy, by Michael A. Caloyannides   ISBN:1580532837, Artech House © 2001 (392 pages).
  • Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Second Edition, by Eoghan Casey, ISBN:0121631044, Academic Press © 2004 (690 pages). PRIMARY TEXT
  • Handbook of Computer Crime Investigation: Forensic Tools and Technology, by Eoghan Casey (ed)   ISBN:0121631036, Butterworth Heinemann © 2002 (448 pages).
  • Computer Forensics: Computer Crime Scene Investigation, by John R. Vacca   ISBN:1584500182, Charles River Media © 2002 (731 pages) .
References:
  • A Guide for Preparing Digital Evidence for Courtroom Presentation (http://www.ncfs.org/DE_courtroomdraft.pdf)
  • Federal Criminal Code (http://assembler.law.cornell.edu/uscode/html/uscode18/usc_sup_01_18_10_I.html)
  • Federal Rules of Evidence (http://www.law.cornell.edu/rules/fre/overview.html)
  • Electronic Crime Scene Investigation: A Guide for First Responders (http://www.ncjrs.org/pdffiles1/nij/187736.pdf)
  • NIST National Software Reference Library (http://www.itl.nist.gov/div897/docs/nsrl.html)
  • Oregon Revised Statutes (http://www.leg.state.or.us/ors/)
  • Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (http://www.cybercrime.gov/s&smanual2002.htm)
  • Sleuthkit and Autopsy (http://sleuthkit.org)
Major Topics:
  • relevant electronic evidence
  • probable cause
  • limits of warrants
  • chain of custody
  • the forensics investigation process
  • forensics tools
  • forensics issues in Linux and Windows.
Laboratory Exercises: Project 1. 3 weeks. Two-person student teams will develop a prototypical evidence disk (8G hard drive) representative of a violation of the Oregon State Criminal Statutes. Students are free to select any crime they wish, but examples would include identity theft, cyberstalking, computer crime, etc. Deliverables will include the evidence disk, and a report detailing where each piece of digital evidence can be found.

Project 2. 3 weeks. Two-person student teams will investigate the evidence disk prepared by another student team in Project 1. Theire deliverables include a report detailing the evidence they found, including a detailed explanation of how it was found, as well as a 30 minute presentation to the rest of the class describing the outcome of their investigation.


CAC Category Credits Core Advanced
Data Structures 0.5
Algorithms 0.5
Software Design
Computer Architecture 0.5
Programming Languages

Oral and Written Communications: Every two-person team of students is required to submit at least 2 written reports (not including exams, tests, quizzes, or commented programs) of typically 12 pages and to make 1 oral presentations of typically 30 minutes duration.
Social and Ethical Issues:
  • privacy – particularly why you need search warrants – tested by examination and project 2
  • laws related to computer crime – tested by examination and project 1
  • impact of appellate decisions on privacy – tested by examination and project 2
Theoretical Content: None
Problem Analysis: Students will develop a strategy to (legally) search a hard drive in order to find evidence
Solution Design: No software design involved