CNIT 121: Computer Forensics

Summer 2023 Sam Bowne

CRN 54175 Sat 9:10 am - 3:40 pm


Schedule · Projects

To attend class online:


The book we are reading for this course is:

Hayes, A Practical Guide to Digital Forensics Investigations, 2nd Edition: Pearson.
ISBN: 978-0-7897-5991-7

CCSF students can get free access to the book, as explained in Canvas.


The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts. CCSF students should take quizzes in the CCSF Canvas system.

Non-CCSF students should use this Canvas server: Enroll Here · View Course · Reset password


For class-related questions, please send messages inside Canvas, or email


Sat 6-10  Mod 1: The Scope of Digital Forensics
Mod 2: Windows Operating and File Systems
Demo: Binary Games and F200

Sat 6-17Mod 1 Quiz
Mod 2 Quiz
Mod 3 Quiz
Proj H 101 - H 104 due
Proj F 60 & F 200 due
Mod 3: Handling Computer Hardware
Demos: F 201 & F 202

Sat 6-24Mod 4 Quiz
Mod 5 Quiz
Autopsy Videos 0-4 due
Mod 4: Acquiring Evidence in a Computer Forensics Lab
Mod 5: Online Investigations
Demo: F 210 & F 220

Sat 7-1Mod 6 Quiz
Proj F 201 & F 202 due
Mod 6: Documenting the Investigation
Android Forensics Demos: M 140, M 142, M 143, M 144, M 145

Sat 7-8Mod 7 Quiz
Mod 8 Quiz
Proj F 210 & F 220 due
Mod 7: Admissibility of Digital Evidence
Mod 8: Network Forensics and Incident Response
Demo: F 221 & F 230

Sat 7-15Mod 9 Quiz
Proj M 144 due
Mod 9: Mobile Forensics
Demo: F 230

Sat 7-22Mod 10-11 Quiz
Proj F 230 due
Mod 10: Mobile App Investigations
Mod 11: Mac Forensics
Demos: H 420 and F 211

Sat 7-29 Last Class: No new material

Sat 7-22
Sat 7-29
  Final Exam available online throughout the week.
You can only take it once.

All quizzes due 30 min. before class
* No late penalty until 9-10


Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Outline or highlight the flag in the image
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

Autopsy User Documentation


H 101-4: Binary Games (20 pts.)
F 60: Cloud Server on Azure (15 pts)
D 11: Chrome Remote Desktop (10 pts extra)
D 12: SSH Tunnel (10 pts extra)
ED 32: Windows 10 Virtual Machine (15 pts extra)

Using Autopsy

F 200: Examining a Forensic Image with Autopsy (15 pts.)
F 201: Rhino Hunt with Autopsy (15 pts + 10 extra)
F 202: Rhino Hunt with Wireshark (15 pts + 15 extra)
F 210: Memory Analysis with Autopsy (15 pts + 30 extra)
F 220: Capturing and Examining the Registry (15 pts)
F 221: Examining a Windows Disk Image (25 pts extra)
M 140: Android Studio Emulator (15 pts extra)
M 142: Rooting Android Studio's Emulator (15 pts extra)
M 143: Forensic Acquisition from Android (15 pts extra)
M 144: Android Analysis with Autopsy (10 pts)
M 145: Making a Rooted Android Emulator (10 pts extra)
F 230: iPhone Analysis with Autopsy (20 pts)
F 231: Scanning an iPhone Backup for Malware (15 pts extra)

Other Tools

H 420: Wireshark (110 extra)
F 211: Memory Forensics of LastPass and Keeper (25 extra)

IR 100: Windows and Linux Machines (20 pts extra)
IR 371: Velociraptor Server on Linux (25 pts extra)
IR 372: Investigating a PUP with Velociraptor (40 pts extra)
IR 373: Investigating a Bot with Velociraptor (50 pts extra)
IR 374: Investigating a Two-Stage RAT with Velociraptor (35 pts extra)

Scoreboard · Submit Flags · Updated: 7-22-23 10:03 am