INT250

Digital Evidence Analysis

Lecture #0

© LPU :: INT250 – Digital Evidence Analysis

 Star Course
This course is considered as a Star course because it
has direct contribution to the placements of students.
It focuses on the necessary skills required for various
job profiles in a company.
Books
• Reference Book
 DIGITAL FORENSICS AND INCIDENT
RESPONSE by GERARD JOHANSEN,
PACKT PUBLISHING, 1st Edition,
(2017).

 INCIDENT RESPONSE & COMPUTER

FORENSICS by JASON LUTTGENS,
MATTHEW PEPE AND KEVIN MANDIA,
MCGRAW HILL EDUCATION, 1st
Edition, (2014).

 Prerequisite - Cyber Security

Essentials (INT242).
Books
• Reference Book
 DIGITAL FORENSICS AND INCIDENT
RESPONSE by GERARD JOHANSEN,
PACKT PUBLISHING, 1st Edition, (2017).

 INCIDENT RESPONSE & COMPUTER

FORENSICS by JASON LUTTGENS,
MATTHEW PEPE AND KEVIN MANDIA,
MCGRAW HILL EDUCATION, 1st Edition,
(2014).

 Prerequisite - Cyber Security Essentials

(INT242).
 MOOC/Certifications

• https://www.eccouncil.org/programs/comput
er-hacking-forensic-investigator-
Course Assessment Model
1. >=95% and 100% -- 5 marks
2. >=90% and <95% -- 4 marks
3.Each CAand
>=85% would
<90%be of-- 30 marks.
3 marks
• Marks break up
Best
4. 2 would
>=80% be taken
and <85% -- 2atmarks
the end
(60 marks) which would be
MTE would beout
ofof4020marks
• and
Attendance
prorated
it would be prorated to
5
ETE would
25 atbe
theofend
70 marks
and it would be prorated to
• CA(Best 2out
50 at the end of 3) 20
• MTE 25
• ETE 50
• Total
100
 Academic Task
• CA1- MCQ – 30 Marks

• CA2- Subjective Test – 30 Marks

• CA3- BYOD-Practical 20 marks – execution

» 10 report generation
Course Outcomes
Program Outcomes as specific
to the particular course
• PO-1:Engineering knowledge::Apply the knowledge of mathematics, science, engineering fundamentals, and an engineering specialization
to the solution of complex engineering problems.
• PO-2: Problem analysis::Identify, formulate, research literature, and analyze complex engineering problems reaching substantiated
conclusions using first principles of mathematics, natural sciences, and engineering sciences.
• PO-3:Design/development of solutions::Design solutions for complex engineering problems and design system components or processes that
meet the specified needs with appropriate consideration for the public health and safety, and the cultural, societal, and environmental
considerations.
• PO-4:Conduct investigations of complex problems::Use research-based knowledge and research methods including design of experiments,
analysis and interpretation of data, and synthesis of the information to provide valid conclusions.
• PO-5: Modern tool usage::Create, select, and apply appropriate techniques, resources, and modern engineering and IT tools including
prediction and modeling to complex engineering activities with an understanding of the limitations
• PO-8:Ethics::Apply ethical principles and commit to professional ethics and responsibilities and norms of the engineering practice.
• PO-9:Individual and team work::Function effectively as an individual, and as a member or leader in diverse teams, and in multidisciplinary
settings.
• PO-12: Life-long learning::Recognize the need for, and have the preparation and ability to engage in independent and life-long learning in
the broadest context of technological change.
• PO-13: Competitive Skills::Ability to compete in national and international technical events and building the competitive spirit
Revised Bloom’s Taxonomy
 List of practicals
• Integrity Check
MD5 Sum Utility
Simple Hasher Tool
• Network Evidence Collection
Network evidence collection and analysis of captured packet with the help of tcpdump
Nmap
Wireshark.
• Acquiring Host Based Evidence
Local volatile and non-volatile acquisition and memory acquisition with the help FTK
imager
• Understanding Forensic Imaging
Demonstration of Dead Imaging and Live Imaging with help of FTK Imager .
 List of practicals
• Network-Evidence Analysis
Analysis of packet information and gaining overall sense of traffic contained within a packet
capture with the help of Wireshark
• Network Log Analysis
Analyzing network log files with help of DNS Blacklists
• Analyzing System Memory
Reviewing the images of memory with the help of Mandiant Redline.
• Analyzing System Storage
Demonstration of timeline analysis
keyword searching and web and email artifacts and to filter results on known bad file hashes
using Autopsy.
• Window investigation
Demonstration of window investigation using OS Forensics
 Open Educational Resource

• Digital Forensics Essentials (DFE) | Coursera

 UNIT I
• Understanding Computer Forensics
• Computer Forensics Investigation Process
UNIT II
• Understanding Hard Disks and File Systems
Data Acquisition and Duplication
 UNIT III

• Evidence handling
– What is evidence?
– Challenges of evidence handling
– Evidence collection procedures

• Windows Forensics
– Collect Volatile and Non-volatile Information
– Perform Windows Memory and Registry Analysis
– Examine the Cache
– Cookie and History Recorded in Web Browsers, Examine Windows
Files and Metadata, Understand Text-based Logs and Windows Event
Logs
UNIT IV
• Linux
– Understand Volatile and Non-volatile Data in Linux,
– Analyze File system Image, Demonstrate Memory Forensics.
• Network Forensics
– Understand Network Forensics
– Explain Logging Fundamentals and Network Forensic Readiness
– Summarize Event Correlation Concepts
– Identify Indicators of Compromise(IoCs) from Network Logs
– Investigate Network Traffic.
 UNIT V
• Analyzing system memory :Memory evidence overview, Memory
analysis, Tools
• Dark Web Forensics :Understand the DarkWeb
• Investigating Email Crimes :Understand Email Basics, Understand Email
Crime Investigation and its Steps.
UNIT VI
• Investigating routers
– Obtaining volatile data prior to powering down
– Finding the proof
– Using routers as response tools

• Writing computer forensic reports

– What is a computer forensic report?
– Report writing guidelines
– A template for computer forensic reports
Any Questions……?