CNIT 121: Computer Forensics

Spring 2014 Sam Bowne

CRN 33817 Wed 6:10 - 9 pm MUB 330


Open Lab Hours for Sci 214

Schedule · Lecture Notes · Projects · Speakers · Links · Home Page


Computer Forensics Infosec Pro Guide by David Cowen
Publisher: McGraw-Hill Osborne Media; 1 edition (March 13, 2013)
Sold by: Amazon Digital Services, Inc.
Kindle edition: $25, Paper edition: $27 (prices I saw on 11-19-13 at Amazon)
Buy from Amazon

Catalog Description

The class covers forensics tools, methods, and procedures used for investigation of computers, techniques of data recovery and evidence collection, protection of evidence, expert witness skills, and computer crime investigation techniques. Includes analysis of various file systems and specialized diagnostic software used to retrieve data. Prepares for part of the industry standard certification exam, Security+, and also maps to the Computer Investigation Specialists exam.

Examine computer media to discover evidence.

Prerequisite: Students should have taken CNIT 120 or have equivalent familiarity with the fundamentals of security.

Upon successful completion of this course, the student will be able to:

  1. Define and describe computer investigations
  2. Demonstrate correct methods of evidence gathering
  3. Use and evaluate various operating systems and file systems
  4. Equip a Forensics Lab with appropriate hardware and software
  5. Install, configure, and use various command-line and graphical software forensics tools
  6. Describe and compare various hardware devices employed by computer forensics experts
  7. Retrieve and analyze data from a suspect's computer
  8. Create security implementation plans
  9. Summarize the evidence and write investigative reports
  10. Utilize the services of expert witnesses
  11. Recover file images, and categorize the data
  12. Examine and trace email messages
  13. Obtain and control digital evidence

Schedule (may be revised)

Wed 1-15  1 What is Computer Forensics? &
2 Learning Computer Forensics
Wed 1-22  3 Creating a Lab
Wed 1-29 4 How to Approach a Computer Forensics Investigation
Thu 1-30 Last Day to Add
Wed 2-5Quiz: Ch 1-4
Proj 1 & 2 due *
5 Choosing Your Procedures
Wed 2-12Quiz: Ch 5
6 Testing Your Tools &
Best Practices
Wed 2-19Quiz: Ch 6 & Best Practices
Proj 3 & 4 & 5 due *
7 Live vs. Postmortem Forensics
Sun. Feb. 23 - Mon. Feb. 24
B-Sides San Francisco (extra credit)
Wed 2-26
No Class--We will have a special presentation on the Pass the Hash, a powerful attack hackers have been using to compromise Windows systems for 15 years. Microsoft finally patched it in Windows 8.1. (This is worth extra credit)

6:30 to 8:30 at CCSF's Chinatown campus, 808 Kearny St., Fourth floor

Presenting will be one of Microsoft's top security researchers, Nathan Ide who developed the "fix" at Microsoft.

Wed 3-5Quiz: Ch 7
Proj 6 & 7 due
8 Capturing Evidence
Wed 3-12
Conrad del Rosario
Assistant District Attorney
San Francisco District Attorney's Office
White Collar Crimes Division

Case study on the Terry Childs case & more


Wed 3-19Quiz: Ch 8
Proj 8 & 9 due *
9 Nontraditional Digital Forensics
Wed 3-26Quiz: Ch 9
Proj 10 due *
10 Establishing the Investigation Type and Criteria &
11 Human Resources Cases
Wed 3-26 Mid-term grades due
Wed 4-2 Holiday--No Class
Wed 4-9Quiz: Ch 10 & 11
Proj 12 & 13 due
12 Administrator Abuse
Wed 4-16Quiz: Ch 12
Proj 11 & 14 due
13 Stealing Information
Tue 4-17 Last Day to Withdraw
Wed 4-23Quiz: Ch 13
Proj 15 & 16 due
14 Internal Leaks
Sat 4-26Wardriving 9 AM CLOU 218
Wed 4-30Quiz: Ch 14 & Proj 17
Proj 17 due
15 Keyloggers and Malware
Wed 5-7Quiz: Ch 15
Proj 18 due
16 Documenting Your Findings with Reports &
17 Litigation and Reports for Court and Exhibits

Wed 5-14 Guest Speaker: Johnathan Cran

Bug Bounties and Opportunities at BugCrowd

Jobs Available Now

Last Class
All Extra Credit Projects Due

Wed 5-21  Final Exam
* Requires DVD--available in SCIE 214

Lecture Notes

Student Agreement

Textbook errata from Sam
Textbook web page from author

1 What is Computer Forensics?
2 Learning Computer Forensics
3 Creating a Lab       PPTX
4 How to Approach a Computer Forensics Investigation       PPTX
5 Choosing Your Procedures       PPTX
6 Testing Your Tools       PPTX
Best Practices       PPTX
7 Live vs. Postmortem Forensics       PPTX
8 Capturing Evidence       PPTX
      Live Acquisition from a Mac running Mavericks
9 Nontraditional Digital Forensics       PPTX
10 Establishing the Investigation Type and Criteria &
11 Human Resources Cases
12 Administrator Abuse       PPTX
13 Stealing Information       PPTX
14 Internal Leaks       PPTX
15 Keyloggers and Malware       PPTX
16 Documenting Your Findings with Reports &
17 Litigation and Reports for Court and Exhibits

The lectures are in Word and PowerPoint formats.
If you do not have Word or PowerPoint you can use
Open Office.

Back to Top


* Project 1: Using Virtual Machines (Requires two DVDs: "K13" & "S13" (revised 1-7-2014) (15 pts.)
* Project 2: Capturing a RAM Image (Requires "S13" DVD)(written 1-7-2014) (15 pts.)
     memdump.7z (Use right-click, "Save As...")
* Project 3: Analyzing a RAM Image with Bulk Extractor (Requires "K13" DVD) (written 1-7-2014) (15 pts.)
* Project 4: Analyzing a RAM Image with Volatility (Requires "K13" DVD) (written 1-8-2014) (15 pts.)
Project 5: USB Write-Blocking with the Windows Registry (PDF) (revised 1-16-2014) (15 pts.)
Project 6: Recovering Deleted Photographs with PhotoRec (10 pts.)
     nps-2009-canon2-gen6.dd (Use right-click, "Save As...")
Project 7: Rebuilding an Image Header (10 pts.)
     badheader.jpg (Use right-click, "Save As...")
* Project 8: NTFS Data Runs (25 pts.) (Requires "S13" DVD) (Rev. 3-6-14)
      FILE1.TXT       FILE2.TXT
* Project 9: Fixing the Partition Table with TestDisk (Requires "S13" DVD) (20 pts.)
* Project 10: Static Acquisition with DEFT (Requires "DEFT" DVD)(20 Points)
* Project 11: Using EnCase (Requires "EN" DVD) (15 pts.)
Project 12: Introduction to FTK (15 pts.)
Project 13: Using FTK (25 pts.)
Project 14: Analyzing an iTunes backup with iPBA2 (15 Points) (14 MB)
Project 15: Using ProDiscover Basic Edition (20 Points)
      Disk Image (0.4 MB)
Project 16: Data Carving with Foremost (15 Points)
Project 17: Capturing and Examining the Registry (30 pts.)
Project 18: Shadow Copies and CCleaner (20 pts.)

      How to Increase the VMWare Boot Screen Delay

Extra Credit Projects

Project X1: Identifying File Types (Up to 25 points)      text.7z
Project X2: Static Image (15 pts. extra credit)      Proj X2 Evidence File
Project X3: Bypassing a BIOS password (15 pts. extra credit)
Project X4: Acquiring an iPad image with iTunes (15 pts. extra credit)
Project X6: Capturing Passwords from RAM on a Mac (10 Pts. extra credit)

Independent Projects (points vary)

* Requires DVD--available in SCIE 214.

Back to Top

Speaker Biographies

Conrad del Rosario

Graduated law school in 1991 and have worked as a prosecutor for over 20 years. Worked in various criminal units at the SF DA's office including domestic violence, sexual assault, and narcotics before working identity theft and high technology crimes. Currently the managing attorney for the Economic Crimes Unit, part of our White Collar Division, where I oversee 5 attorneys including the high technology and identity theft teams.

Currently assigned to the Rapid Enforcement Allied Computer Team (REACT) Task Force which is a consortium of local law enforcement agencies investigating high technology crimes based out of Silicon Valley, member of HTCIA, and currently a certified instructor for Peace Officer Standards and Training (POST) in the area of High Technology Investigations.


Links for Chapter Lectures

Ch 1a: Deconstructing a Credit Card's Data
Ch 1b: Mitigating Fraud Risk Through Card Data Verification
Ch 1c: What data is stored on a payment card's magnetic stripe?

Ch 2a: The OpenIOC Framework

Ch 3a: Free Email Certificate | Secure SSL Certificate from Comodo
Ch 3b: Digitally Sign & Encrypt Emails
Ch 3c: 3 Alternatives to the Now-Defunct TrueCrypt for Your Encryption Needs
Ch 3d: VeraCrypt - Home
Ch 3e: Security Onion
Ch 3f: Network Security Toolkit (NST 24)
Ch 3g: Skynet Solutions : EasyIDS
Ch 3h: NIST Computer Forensic Tool Testing Program
Ch 3i: Evidence Tags and Chain of Custody Forms
Ch 3j: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
Ch 3k: Federal Rules of Evidence
Ch 3l: Security Technical Implementation Guides (STIGs) for host hardening
Ch 3k: Securing Windows Service Accounts (Part 1)
Ch 3l: Download Splunk Enterprise for free
Ch 3m: GitHub - mcholste/elsa: Enterprise Log Search and Archive
Ch 3n: Snare SIEM Software Products
Ch 3o: SIEM, Security Information Event Management, ArcSight | Hewlett Packard Enterprise
Ch 3p: RSA enVision SIEM | EMC RSA
Ch 3q: Building a DNS Blackhole with FreeBSD
Ch 3r: Windows DNS Server Sinkhole Domains Tool | SANS Institute

Ch 5a: Report Crimes Against Children | Department of Justice

Ch 7a: Redline User Guide
Ch 7b: LINReS | Network Intelligence India Pvt. Ltd.(NII Consulting), Mumbai
Ch 7c: LiME – Linux Memory Extractor
Ch 7d: Memoryze for Mac
Ch 7e: Use the Mandiant Redline memory analysis tool for threat assessments

Ch 8a: Host protected area - Wikipedia
Ch 8b: Device configuration overlay - Wikipedia

Ch 9a: Basic Snort Rules Syntax and Usage
Ch 9b: Snort: Re: Rule for detecting ssh
Ch 9c: OptiView XG Network Analysis Tablet
Ch 9c: Network TAPs
Ch 9d: Security Onion
Ch 9e: Chapter 9 Scenario PCAPs - Incident Response and Computer Forensics, 3rd Edition
Ch 9f: Download NetWitness Investigator
Ch 9g: Old NetWitness Project

Ch 10a: Analyze Microsoft DHCP Server Log Files
Ch 10b: More About Microsoft DHCP Audit and Event Logging
Ch 10c: DHCP | Internet Systems Consortium
Ch 10d: Linux How To/Tutorial: Checking DHCP Logs
Ch 10e: using the ISC DHCP log function for debugging
Ch 10f: BIND | Internet Systems Consortium
Ch 10g: DNSCAP - DNS traffic capture utility | DNS-OARC
Ch 10h: IT Information Systems Management Software | LANDESK
Ch 10i: Parsing Landesk Registry Entries FTW
Ch 10k: LANDesk SoftMon Monitoring Information
Ch 10l: How to browse Software License Monitoring data ... |LANDESK User Community
Ch 10m: RegRipper
Ch 10n: GitHub - keydet89/RegRipper2.8
Ch 10o: GitHub - jprosco/registry-tools: Registry Forensics Tools
Ch 10p: Client Management Suite | Symantec
Ch 10q: Altiris Inventory Solution™ 7.1 SP2 from Symantec™ User Guide
Ch 10r: Symantec Quarantined VBN file decoder
Ch 10s: John McAfee calls McAfee anti-virus "one of the worst products on the ... planet"
Ch 10t: Removing a PHP Redirector
Ch 10u: Understanding IIS 7 log files - Stack Overflow

Ch 11i: Filesystem Timestamps: What Makes Them Tick?
Ch 11j: File System Forensic Analysis: Brian Carrier
Ch 11k: Uuencoding - Wikipedia
Ch 11l: National Software Reference Library
Ch 11m: Nsrllookup
Ch 11n Security Firm Bit9 Hacked, Used to Spread Malware (2013)

Other Links

Yelp/osxcollector: A forensic evidence collection & analysis toolkit for OS X
SecureZeroMemory function (Windows)
Under My Thumbs -- Revisiting Windows thumbnail databases
Using Mandiant Redline to discover Meterpreter process injection - YouTube
Elcomsoft Advanced mobile forensics: iOS (iPhone and iPad), Windows Phone and BlackBerry 10
Aid4Mail Now (Free Trial)

New Unsorted Links

Ch 11a: Sawmill Web Log Analysis Sample - Dashboard
Ch 12a: File Times (Windows)
Ch 12b: SetMace: Manipulate timestamps on NTFS
Ch 12c: SANS Windows Artifact Analysis Poster
Ch 12d: Known Alternate Stream Names
Ch 12e: Bulk Removing Zone.Identifier Alternate Data Streams From Downloaded Windows Files
Ch 12f: Streams
Ch 12g: Manipulating Alternate Data Streams with PowerShell
Ch 12h: INDXParse: Tool suite for inspecting NTFS artifacts.
Ch 12i: Parse INDX
Ch 12j: Fsutil usn: the USN Change Journal
Ch 12k: Vssadmin
Ch 12l: View the content of Windows Prefetch (.pf) files
Ch 12k: FixEvt repairs corrupted Windows event logs
Ch 12n: Job File Parser
Ch 12o: SetRegTime
Ch 12p: Windows USER - Wikipedia
Ch 12q: Windows 7 Shellbags | SANS Institute
Ch 12r: MRU-Blaster
Ch 12s: Registry Decoder
Ch 12t: JLECmd: Automatic and Custom Destinations jump list parser with Windows 10 support
Ch 12u: Rifiuti2
Ch 12t: Hiberfil.sys - ForensicsWiki
Ch 12u: Zeus Malware Analysis using the Volatility Framework (Part I)
Installing Rekall on Windows
Download google/rekall � GitHub
RecuperaBit - A Tool For Forensic File System Reconstruction
Ch 12v: The VAD Tree: A Process-Eye View of Physical Memory
Ch 13a: iBored Disk Editor for Mac
Ch 13b: The MacPorts Project -- Download & Installation
Ch 13c: OS X 10.9: where are password hashes stored
Ch 13d: What type of hash are a Mac's password stored in?
Ch 13e: How to crack macbook admin password
Ch 13f: How to Convert plist Files to XML or Binary in Mac OS X
Ch 14a: BrowsingHistoryView - View browsing history of your Web browsers
Ch 14b: Extensible Storage Engine (ESE) Database File (EDB) format
Ch 14c: ESEDatabaseView - View/Open ESE Database Files (Jet Blue / .edb files)
Ch 14d: IECacheView - Internet Explorer Cache Viewer
Ch 14e: Freeware Web Browser Tools Package
Ch 14f: Google Chrome - ForensicsWiki
Ch 14g: Browser Popularity
Ch 14h: File:Browser usage share, 2009--2016, StatCounter.svg - Wikipedia
Ch 14i: How to Read and Analyze the Email Header Fields and Information about SPF, DKIM, SpamAssassin
Ch 14j: Inspect documents for hidden data and personal information
iOS Secure Boot 101 Slides from Axi0mX
Hibr2Bin: Comae Hibernation File Decompressor
A glimpse of iOS 10 from a smartphone forensic perspective
Mobile Forensics Monkey Wrench: iOS 10.2 and Encryption
iOS Forensics (7/25/17)
Evidence Acquisition and Analysis from iCloud
GitHub - stuxnet999/MemLabs: Educational, CTF-styled labs for individuals interested in Memory Forensics
Police Linked to Hacking Campaign to Frame Indian Activists (2022) -- IMPORTANT FORGED EVIDENCE

Links from Sammoms Textbook

Links from Nelson Textbook

Back to Top
Last Updated: 5-13-14 2:08 pm