Computer Forensics - Course Page
This page is for English speaking students of the Faculty of Mathematics and Information Science attending the Computer Forensics (CF) course conducted in Spring/Summer 2012 by the Institute of Electronic Systems.
The course description (the part A of the first lecture) is here. [pdf]
Announcements
14 May 2012
The instructions and the protocol for the fourth lab are available at the learning materials page. While preparing please study the materials available at A Forensic Analysis of the Windows Registry website. In particular download, print, read and get yourselves familiar with the ideas given by Derrick Farmer in this paper.
9 May 2012
The instructions and the protocol for the third lab are available at the learning materials page. On Thursday I will demonstrate how to reconstruct the timeline for the image of a FAT file system investigated during the second lab. It is going to be a tutorial for the oncoming lab.
23 Apr 2012
The instructions and the protocol for the second lab are available at the learning materials page. No Chain of Custody this time. Please, remember to test your DVDs. On Thursday I will demonstrate how the Autopsy sees the image from the first lab. But you should also give it (the Autopsy) a try while preparing to the oncoming lab.
20 Apr 2012
Mr Wi¶niewski is kindly asked to authenticate
himself sending an e-mail to to 
.
18 Apr 2012
On request of a student I have made available to all of you the presentation with examples of the bad and the good documentation (based on the results of the first lab from an year ago). See the learning materials page.
30 Mar 2012
The instructions for the first lab are available at the learning materials page.
At the next lecture I will explain the idea behind it,
and will show you some examples of good and bad documentation.
Mr Ifeadi, Mr Kalayci, Mr Wi¶niewski and Mr Witan are kindly asked to authenticate
themselves sending an e-mail to to .
23 Mar 2012
It has been decided that the first test of the semester will be held on Thursday, April 12. Please, start downloading and studying the learning materials (the lecture slides). And keep in mind these general test preparation tips.
16 Mar 2012
The last lecture is available at the learning materials page.
11 Mar 2012
It has been decided that the labs are going to start on April 19th. Here is the schedule:
| Lab | Date | Task |
| 1 | April 19 | Tutorial: getting familiar with the lab environment, recovering files from a formatted and/or reused thumb drive image - emphasis on documentation. |
| 2 | April 26 | Making and analyzing an image of a FAT file system partition and recovering hidden data from it - questions and answers - Autopsy, file carving, slack space. |
| 3 | May 10 | Analyzing an image of an NTFS file system partition and recovering hidden data from it, using Linux- and Windows-based tools - reconstructing timelines - Autopsy, WinHex, ProDiscover. |
| 4 | May 17 | Performing post-intrusion analysis of a Linux system - Autopsy - or Analyzing Windows - everything is in the Registry - WinHex, ProDiscover. |
| 5 | May 24 | Analyzing Windows - everything is in the Registry - WinHex, ProDiscover - or Internet investigation - searching for sources of evidence regarding internet-based criminal activities. |
3 Mar 2012
There is a change to the plan. From now the lectures will be held at the room No 101 from 10:15 a.m. to 12:00 noon. The labs will follow from 12:15 p.m. to 3:00 p.m.
The second lecture is available at the learning materials page.
Once again: to get your authentication data please send an e-mail to .
24 Feb 2012
The first lecture (part B) is available at the learning materials page.
To get your authentication data please send an e-mail to .
22 Feb 2012
Please come to the first lecture (Thursday 23 Feb, 2:15 p.m., Rm 105).
The labs are planned to start in April.
The page was last modified on: 14 May 2012
