Digital Forensics – COMP6445
Extended Digital Forensics – COMP6845
Course Outline 2020T3
These two courses run in an overlapping mode. Both share a set of common activities and assessments; however 6845 students have additional extension activities and assessments related to digital forensics and professional security engineering in lieu of some of the core activities undertaken by 6445 students. The information below applies to both courses except where otherwise indicated.
Course Website
This course is hosted on openlearning and that’s where we’ll all share information and communicate.
The first time you access the course site on Openlearning you must do that via the link in Moodle in order to correctly link your Openlearning account to your zID:
1. Find the Digital Forensics course page on Moodle (it’s just a stub page); then 2. Click on the link to Openlearning.
Subsequently you can access the course directly via: https://www.openlearning.com/unswcourses/courses/digital-forensics (https://www.openlearning.com/unswcourses/courses/digital-forensics/HomePage/)
Course Staff
Lecturers:
Tabitha Bauer Timothy Boyce Ajoy Ghosh
Convenor: Jiaojiao Jiang
Technical Admin: Brendan Nyholm
Industry Lead and Advisor: Adam Smallhorn Lecturer in Charge: Richard Buckland
How to contact us
Speak/message with the lecturers at and after zoom lectures
Speak with your tutor at/after zoom tutorials
Chat with us and your classmates on the course website Confidential questions about course: Enquiries about Security Engineering major:
Summary of the course
Here is the handbook entry (http://www.handbook.unsw.edu.au/undergraduate/courses/current/COMP6445.html). This is a specialist security course in Digital Forensics. Topics include principles of forensic analysis, forensics and the law, forensics on several types of infrastructure, management of forensic methodologies and various real life case studies of forensic analyses. Students of this course will apply forensic methods in controlled environments and gain an understanding of the technical process of uncovering hidden data and other metadata which may reveal user behaviour. Students will also develop skills in reporting their findings and evaluate the ethical consequences of their findings.
Conditions for Enrolment
Prerequisite: (COMP6441 or COMP6841 or COMP9441), and (COMP9201 or COMP9283)
Course weekly schedule
Week Core Lecture Extended Lecture Assessment
Forensics Professionalism [Tabitha Bauer]
– The impact & history of digital forensics Applied Digital Forensics [Timothy Boyce]
– Course overview – Physical evidence handling
Extended Workshop [Ajoy Ghosh]
– Intro to the extended course
– Background on project/scenario
– Investigation quiz due Sun
Forensics Professionalism [Tabitha Bauer]
– The forensic method – Ethics in forensics Applied Digital Forensics [Timothy Boyce]
– Physical layer – Data Carving – Acquisition
No workshop
– Investigation quiz due Sun Extended Course Artifact drop 1: HDD 1
Code Help
Week Core Lecture Extended Lecture Assessment
Forensics Professionalism [Ajoy Ghosh]
– Forensics documenting – Ethics & the Legal Process
– The Law & Witness Statements
Applied Digital Forensics [Timothy Boyce]
– File systems
Extended Workshop [Ajoy Ghosh]
– Written report due
No Class – Public Holiday
Extended Workshop Reviewing findings on artifact 1
– Investigation quiz due Sun Extended Course
– In-class presentations
– Artifact drop 2: network
Forensics Professionalism [Tabitha Bauer]
– Self-care
Applied Digital Forensics [Timothy Boyce]
– Timeline analysis – Windows artifacts – Linux/Mac
Extended Workshop [Ajoy Ghosh]
– Investigation quiz due Sun
6 Quiet Week
Programming Help
Week Core Lecture Extended Lecture Assessment
Forensics Professionalism [Tabitha Bauer]
– The investigative process – Putting it all together Applied Digital Forensics
– Memory forensics – Network forensics
Student presentations Reviewing findings on artifact 2
– Investigation report due Extended Course
– In-class presentations
– Artifact drop 3: mobile
Forensics Professionalism [Ajoy Ghosh]
– Expert witnessing
– Forensics & Metadata Applied Digital Forensics
– Mobile Forensics
– Antiforensics
– Logs & Cloud
Extended Workshop [Ajoy Ghosh]
– Investigation quiz due Sun
Forensics Professionalism [Tabitha Bauer]
– Case studies
– Presenting your work
Applied Digital Forensics
– OSINT & Guest Lecturers
Extended Workshop [Ajoy Ghosh]
– Investigation quiz due Sun Extended Course
– Expert Witness Report due
Extended Court Case
Review & Feedback
Investigation quiz due Sun
Final exam
(date TBC)
Assessment
6445 – Core
40% – Exam
60% – Course work
15% – Weekly investigation – Case report – w3
15% – Weekly investigation – Case report – w7
20% – Weekly investigations – quizzes – other weeks
10% – Weekly forensic professionalism reflections – participation each week
6845 – Extension
30% Core Course Work
7.5% – Weekly investigation – written case report – w3
7.5% – Weekly investigation – written case report – w7
10% – Weekly investigations – quizzes – other weeks
5% – Weekly forensic professionalism reflections – participation each week
50% – Extended Investigation & Trial
5% Data Drop 1 – w4
5% Data Drop 2 – w7
40% Final Case Report – w9
###Reference Books
Real Digital Forensics: Computer Security and Incident Response Incident Response & Computer Forensics, Third Edition
Requirements
This course requires you to Bring Your Own Device. Any laptop capable of running the software in the pre-course preparation activities (Week 0 Activity) should be sufficient, you do not need a super-fancy machine. Note that even if we return to labs during Term 3 you
will still need to bring your own device as the CSE lab computers won’t have the required software to perform exercises or assignments.
This course makes use of VMs which can be slow on low powered devices, however tools can be installed separately to improve performance.
Due to COVID all of the tutorial content will be distributed online requiring you to download some large files. If this is an issue for you because of poor quality internet connection contact us via the course email and alternative arrangements can be made.
If you have difficulties in arranging any of the above discuss this with the course staff as soon as possible and ensure you have been able to arrange satisfactory workable solutions before the census date.
Learning Outcomes
After completing COMP6445, students will:
Have an applied working knowledge of the principle elements of digital forensic literacy (such as Windows, Linux and OSX disk structures, machine memory structure, operating system structure caches logging and redundancy, device design authentication operation and weakness, boot and initialisation sequences, storage encryption, network logging, stealth techniques and anti-forensic strategies). Understand how these elements can be used to extract and infer digital traces of activity, their characterising
Be able to conduct forensic analysis on common systems
Have an understanding of issues and key principles of professional digital forensic practice (including chain of custody and best practice procedures)
Apply an understanding of digital forensics to design, conduct, and report on effective forensic investigations.
This course contributes to the development of the following graduate capabilities:
Graduate Capability Acquired in
Scholars capable of independent and collaborative enquiry, rigorous in their analysis, critique and reflection, and able to innovate by applying their knowledge and skills to the solution of novel as well as routine problems
Tutorials, Assignments
程序代写 CS代考 加QQ: 749389476
Graduate Capability Acquired in
Entrepreneurial leaders capable of initiating and embracing innovation and change, as well as engaging and enabling others to contribute to change
Lectures, Tutorial- Labs, team learning activities
Professionals capable of ethical, self-directed practice and independent lifelong learning
Lectures, Written and practical activities
Global citizens who are culturally adept and capable of respecting diversity and acting in a socially just and responsible way
Lectures, team learning activities
Teaching Rationale
Applied forensic skills are best mastered and reinforced by considerable practice, so labs and programming assignments are critical component of the course. These will help you to practice design and implementation skills, and to further develop your professional teamwork skills. The reports and weekly reflections will help you develop your ability to reflect on your own work which is an essential professional skill. Weekly tutorials provide a forum for you to develop design skills and to practice presentation. Lectures will be split between discussion of concepts, discussion of practical work (and practical demonstrations), revision work, and extension lectures. Students are given weekly formative activities to work on in tutorials/labs. Students are also given exercises to explore topics in greater depth. Extended students will have an additional professional project based on a mock trial. Students in both standard and extended courses are expected to spend 150 hours on the course. We expect students to spend a significant time each week on self-directed studies related to forensics. This ranges from reviewing lecture materials, learning related content, to going to security meetups, playing ctf’s and private experiments and research.
Student Conduct
The Student Code of Conduct (Information (https://student.unsw.edu.au/conduct), Policy (https://www.gs.unsw.edu.au/policy/documents/studentcodepolicy.pdf)) sets out what the University expects from students as members of the UNSW community. As well as the
learning, teaching and research environment, the University aims to provide an environment that enables students to achieve their full potential and to provide an experience consistent with the University’s values and guiding principles. A condition of enrolment is that students inform themselves of the University’s rules and policies affecting them, and conduct themselves accordingly.
In particular, students have the responsibility to observe standards of equity and respect in dealing with every member of the University community. This applies to all activities on UNSW premises and all external activities related to study and research. This includes behaviour in person as well as behaviour on social media, for example Facebook groups set up for the purpose of discussing UNSW courses or course work. Behaviour that is considered in breach of the Student Code Policy as discriminatory, sexually inappropriate, bullying, harassing, invading another’s privacy or causing any person to fear for their personal safety is serious misconduct and can lead to severe penalties, including suspension or exclusion from UNSW.
If you have any concerns, you may raise them with your lecturer, or approach the School Ethics Officer Grievance Officer (grievance- or one of the student representatives.
Plagiarism at UNSW is defined as using the words or ideas of others and presenting them as your own. UNSW and CSE treat plagiarism as academic misconduct, which means that it carries penalties as severe as being excluded from further study at UNSW. There are several on-line sources to help you understand what plagiarism is and how it is dealt with at UNSW:
Plagiarism and Academic Integrity (https://student.unsw.edu.au/plagiarism) UNSW Plagiarism Procedure (https://www.gs.unsw.edu.au/policy/documents/plagiarismprocedure.pdf)
Make sure that you read and understand these. Ignorance is not accepted as an excuse for plagiarism. In particular, you are also responsible that your assignment files are not accessible by anyone but you by setting the correct permissions in your CSE directory and code repository, if using. Note also that plagiarism includes paying or asking another person to do a piece of work for you and then submitting it as your own work.
UNSW has an ongoing commitment to fostering a culture of learning informed by academic integrity. All UNSW staff and students have a responsibility to adhere to this principle of academic integrity. Plagiarism undermines academic integrity and is not tolerated at
If you haven’t done so yet, please take the time to read the full text of
UNSW’s policy regarding academic honesty and plagiarism (https://student.unsw.edu.au/plagiarism)
The pages below describe the policies and procedures in more detail:
Student Code Policy (https://www.gs.unsw.edu.au/policy/documents/studentcodepolicy.pdf)
Student Misconduct Procedure (https://www.gs.unsw.edu.au/policy/documents/studentmisconductprocedures.pdf) Plagiarism Policy Statement (https://www.gs.unsw.edu.au/policy/documents/plagiarismpolicy.pdf)
Plagiarism Procedure (https://www.gs.unsw.edu.au/policy/documents/plagiarismprocedure.pdf)
You should also read the following page which describes your rights and responsibilities in the CSE context:
Essential Advice for CSE Students (https://www.engineering.unsw.edu.au/computer- science-engineering/about-us/organisational-structure/student- services/policies/essential-advice-for-cse-students)
Good Faith Policy
This course has a “Good Faith Policy”. This means we expect you to act in good faith at all times. We expect you to be a good citizen. To not invade, alter or damage the property of others including the university, invade the privacy of others, break any laws or regulations, annoy other people, deprive others of access to resources, breach or weaken the security of any system, or do or omit to do anything else which you know or suspect we would not be happy about. Furthermore you are not to do anything which appears OK by a loophole or a strict interpretation of “the letter of the law” but which is not consistent with the spirit. Basically you must not act in any way so as to bring disrepute to the reputation of the course, the course staff, fellow students, the school, the university, or the ICT profession. Also, don’t be a dick.
If you are unsure, ask!
If, in our sole discretion, we feel you have violated the Good Faith Policy or cheated in any assessment you will be awarded 0 Fail for the course. Further penalties may apply also depending on the nature and severity of the violation. Students who have violated the Good Faith Policy may not be permitted to re-enrol in future offerings of the course.
Students who are found (or who have previously been found and have not disclosed this) guilty of academic or computer related misconduct or any other activity in a way which which casts doubt on their ability or willingness to comply with the Good Faith Policy will be dis-enrolled and will be not permitted to re-enroll in future offerings of the course. If you have ever been found guilty of such an activity you must disclose it to the lecturer in writing immediately.
Supplementary Exams
Supplementary exams will only be awarded in well justified cases. They will not be awarded if your reason for not sitting the final exam was for holiday travel (!) Read the School policy for Special Consideration (https://student.unsw.edu.au/exams/supplementary).
There will only be one supplementary exam held. If you miss it you will not be awarded another. So do not plan overseas travel at the end of the exam period if there is any chance you may wish to sit a supplementary exam. It is up to you to contact the school office and/or website and find the date of the supplementary exam and keep it free (the date is usually set centrally by the school not by the course staff) If you think you might be eligible for the supplementary exam hold yourself ready to sit it – sometimes people are awarded entry to the supplementary exam at the last minute and saying “I didn’t know if I would be awarded it so I didn’t study for it†is not a valid reason for special treatment.
Exam marks and your overall course result will be scaled if necessary, to keep the standard of the different grade levels consistent from year to year and between the security engineering courses. In particular we strive to ensure that the pass/fail boundary and the D/HD boundary are roughly equivalent from year to year. This means your final course mark will not just be the sum of the raw marks for each of the individual items. In cases where the overall result for the teamwork assessment items significantly exceeds the individual (non-team) assessment items the teamwork results will be capped at the level of the individual results and you may be called in for an interview to explain the difference. In
significant cases you may be offered further practical individual assessment activity to replace your team results and you will not be awarded a pass in the course unless you clearly demonstrate pass level ability in that work.
Identified Work
We use assessment feedback as a way of your facilitator getting to know you and the areas in which you need help. Hence assignment work is not marked anonymously. Contact the course administrator or lecturers if you have any individual concerns with this approach. Wherever possible we share student work as a way of developing the entire cohort, if you do not wish to be identified in any of your work which is shared contact the course administrator or lecturers and discuss it with them BEFORE submitting the work.
Course Evaluation and Development
These courses are still relatively new, and we strongly encourage students to actively provide feedback about the course’s progress. Each tutorial-lab class will elect a student representative – give your feedback to them and they will pass it onto the course staff anonymously. We’ll also run some feedback sessions over the course where you can give feedback and suggestions. Many of the good things in the course now have come from students giving great suggestions in the past so do pass on your thoughts we take them seriously and they make a difference.
These courses will also be evaluated by UNSW’s myExperience survey and feedback program at the end of the trimester. It’s not a brilliant survey but it actually helps us a lot if you fill it in as it’s pretty much the main feedback that the rest of the university administration looks at and good feedback helps us survive and grow.
You, The Future
We are proud of our former students, they are awesome, and go on to do good things and be good people. Indeed some of the industry guest lecturers in UNSW SECedu courses are often former UNSW security students. So please stay in touch after you have gone and let us know your achievements and what you are doing. It makes us happy and we are proud to brag about you.
Please do thank the returning and new guest lecturers and let them know how much you appreciated their effort and care in giving up so much time to help you. They go to considerable trouble to do this and they do it because they think it is the right thing to do to grow the profession and to help those coming after them.
After you graduate please consider giving back (well paying forward really) and coming back to help future students once you are an industry practitioner. The help former students give future students is quite moving and changes lives.
Also, even sooner than that, after you have finished this course, if you enjoyed it, then let your tutor know and we will consider you as a staff member for the next offering of the course. Teaching others is very rewarding, gives you great professional skills, makes you more connected in the profession and, weirdly enough, helps you master the material of the course to a level far beyond the level you attained when you did it as a student. We don’t just look for results when selecting tutors and course staff. The lecturers are the domain experts, not the tutors. In selecting tutors we mainly look for communication ability, kindness, an interest in developing leadership skills, a sense of fun, and a love for the course material.