Evidence Imaging

Curriculum Guideline

Effective Date:
Course
Discontinued
No
Course Code
CSIS 3160
Descriptive
Evidence Imaging
Department
Computing Studies & Information Systems
Faculty
Commerce & Business Administration
Credits
3.00
Start Date
End Term
Not Specified
PLAR
No
Semester Length
15 Weeks
Max Class Size
35
Course Designation
None
Industry Designation
CCSP,CEH,CFCE,CHFI,CISA,CISM,CISSP,CRISC,GCFA,GCFE,GSEC,OSCP
Contact Hours

Lecture: 2 hours/week

Seminar: 2 hours/week

Method(s) Of Instruction
Lecture
Seminar
Learning Activities

The methods of instruction for this course will include lectures, seminars, and hands-on exercises.

Course Description
This course covers the concepts and practical skills of gathering, collecting, and recovering various cyber-security artifacts as digital evidence that can be used in forensic analysis. The course introduces students to the different types of digital information stored in file, registry, application, internet, and network artifacts that should be gathered as evidence. Students will gain practical hands-on in using different tools such as EnCase, FTK and dd to create evidence image. Student will also learn how to analyze and to add interpretation to the raw data to conduct further analysis.
Course Content

 1.    Introduction of various systems where digital evidence can be gathered for forensic analysis
 2.    Different types of digital evidence
 3.    Evidence image creation using various tools such as EnCase, FTK and dd
 4.    File Recovery
 5.    Windows Registry evidence analysis
 6.    File and metadata analysis
 7.    Internet browser applications evidence
 8.    Windows log files analysis
 9.    File Carving
10.   Introduction to network evidence gathering and analysis
11.   Introduction to mobile data gathering and analysis

 

Learning Outcomes

At the end of this course, the successful student will be able to:

  1. Explain the process of digital evidence gathering, imaging and analysis
  2. Describe the different sources of forensic artifacts in a system and be able to gather them as evidence
  3. Use tools to create evidence imaging such as EnCase, FTK and dd
  4. Mount the evidence image to a system and recover files for further analysis
  5. Use tools to analyze windows registry and NTUSER.DAT file
  6. Perform file and metadata analysis
  7. Gather and analyze internet evidence from the browser’s history, cookie, temporary internet files and INDEX.DAT file
  8. Search and analyze information from the Windows log files
  9. Perform file carving from unallocated space on a hard drive
  10. Describe the process to gather evidence from network devices and smart phone

 

Means of Assessment

Assessment will be in accordance with the ÁñÁ«ÊÓƵ Evaluation Policy.

Assignments and Labs

10-25%

Quiz(zes)*

10-20%

Midterm Examination*

25-35%

Final Examination*

25-40%

Total

100%

 Some of these assessments may involve group work.

* Practical hands-on computer exam

In order to pass the course, students must, in addition to receiving an overall course grade of 50%, also achieve a grade of at least 50% on the combined weighted examination components (including quizzes, tests, exams).

Students may conduct research as part of their coursework in this class. Instructors for the course are responsible for ensuring that student research projects comply with College policies on ethical conduct for research involving humans, which can require obtaining Informed Consent from participants and getting the approval of the ÁñÁ«ÊÓƵ Research Ethics Board prior to conducting the research.

 

Textbook Materials

Michael K. Robinson. Digital Forensics Workbook. Latest Edition and/or other textbook/s approved by the department

 

Prerequisites

Min grade C in CSIS 2260

Corequisites

 

Equivalencies

Courses listed here are equivalent to this course and cannot be taken for further credit:

  • No equivalency courses