ISA 785: Research in Digital Forensics - Fall 2011

[Bibliography] [Class Schedule] [Available Projects]

Instructor: Angelos Stavrou
Lecture: Wednesday 7:20pm - 10:00pm
Nguyen Engineering Building 5358 [Campus Map]
Office Hours: Wednesday 4:30pm - 6:30pm and by appointment
Office: Research I, Rm 437
Email: astavrou()gmu.edu

Teaching Assistant: Chen Liang
Research I, Rm 438
Office Hours: Monday 4:00pm - 6:00pm
Email: cliang1()gmu.edu

Course Description:

This class will be focused on current research and challenges in Digital Forensics including:

  • Principles, Techniques, Tools used in Digital Forensics
  • Computer and Network Forensic Analysis
  • Forensics for Mobile Devices
Class Objectives

This course offers an in depth introduction to the principles, techniques, tools and current practices used in digital forensics including latest research advances. By the end of the course, students will gain experience in:

  • Principles and Techniques for Digital Forensics
  • Understand the established procedures in Digital Evidence Identification, Extraction, Preservation, Correlation, Analysis and Presentation
  • Apply Existing Tools to conduct Forensics Duplication and analysis
  • Understand the specific technical challenges in conducting Digital Forensics
  • Countermeasures and Caveats of Digital forensics
  • Common Legal and Ethical issues in Digital Forensics


CS 571 (Operating Systems), CS 555 (Computer Networks), and ISA 562 (Information Security Theory & Practice); or permission of instructor. The coursework will include substantial programming projects; in order to be able to complete the projects, the students must be comfortable with Java or another programming language.


Required: [TextBook available online for GMU students]
File System Forensic Analysis by Brian Carrier.
Addison-Wesley Professional, (March 27, 2005) ISBN-13: 9780321268174
[Online for GMU] [Pearson] [Amazon]

On this web page you will also find assigned reading from on-line articles, law opinions, and research publications. I will also have supplementary materials on reserve or handed out during class. Although we will not read the entire Carrier book, and we will use it for only a portion of the class, it cannot be replaced with other materials.

Recommended: [TextBook available online for GMU students]
System Forensics, Investigation, and Response, by John R. Vacca and K. Rudolph.
Jones & Bartlett Learning, (September 24, 2010) ISBN-13: 9780763791346
[Online for GMU] [Jones & Bartlett Learning] [Amazon]

  • Class Projects: 80%
  • Class Presentations: 15%
  • Class Participation: 5%
  • No Midterm or Final

The students must achieve a total score of at least 90 (out of 100) to be considered for an A. This class is an advanced graduate-level class and is geared towards understanding the fundamental concepts behind Digital Forensics. The students will be expected to participate in large projects under the guidance of the instructor.

Computer Accounts:

All students should have accounts on the central Mason Unix system mason.gmu.edu (also known as osf1.gmu.edu)
and on IT&E Unix cluster zeus.ite.gmu.edu (Instructions and related links are here). Please read the FAQ if you have any questions. Students can work in IT&E computer labs for programming projects during the specified hours.

Honor Code:

Please read and adhere to the University's Academic Honesty Page, GMU Honor Code, CS Department Honor Code

Disability Statement
If you have a documented learning disability or other condition that may affect academic performance you should:
1) Make sure this documentation is on file with the Office of Disability Services.
All academic accommodations must be arranged through the ODS. http://ods.gmu.edu
2) Talk with me to discuss your accommodation needs.

Other Usefull Resources

Writing Center:
A114 Robinson Hall; (703) 993-1200; http://writingcenter.gmu.edu
University Libraries: “Ask a Librarian” http://library.gmu.edu/mudge/IM/IMRef.html
Counseling and Phychological Services (CAPS): (703) 993-2380; http://caps.gmu.edu
University Policies: The University Catalog, http://catalog.gmu.edu, is the central resource
for university policies affecting student, faculty, and staff conduct in university affairs.

Class Schedule

Week & Date
Course Lectures & Readings (Tentative)

Week 1, Aug 31

Intro & Class Mechanics [PDF]

Modern Digital Forensics [PDF]


- US DoJ: Forensic Examination of Digital Evidence: A Guide for Law Enforcement

- US DoJ: Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Week 2, Sept 7

LAB: Open Source Digital Forensics Tools (I)

ERT Forensic Tools [Link]
Cert Virtual Appliance Manual [PDF]

VMWare Appliance (Fedora V14, 2011)
[GMU 32-bit Link] [CERT 32-bit Link]
MD5 Checksum: cc3ed64cc84a5e58e4c51d4aa2a922e9
[GMU 64-bit Link] [CERT 64-bit Link]
MD5 Checksum: 2d68570c029a35e71105063b4f2c40c7

Digital Forensics Framework (DFF) [Link]
DFF 1.1.0 Fedora 14 [DFF Link] [GMU Link]
MD5: 1c8775a53da58368554ba08abb080e65
DFF Documentation [Link]

The Sleuth Kit [Link]
TSK version 3.2.2 [Link] [GMU Local]
MD5: bc6244a086e4e35215b8e1a776f63c5c
TSK Documentation [Link]

Autopsy Forensic Browser ([Link]
Autopsy version 2.24 [Link] [GMU local]
MD5: 4ed18aa9f79453d74957b5db220d0d59
Autopsy Documentation [Link]

Honeynet Challenges & Forensic Case Studies [Link]

Week 3, Sept 14

Background Basics: Operating Systems, Computer Networks
Review of basic concepts of data representation, Application Specific Forensics,
Data recovery versus Forensic Investigations (from the book)
Readings: Texbook Chapters 2, 3, 4

Introduction to File System Forensics & Data Hiding
[Unix File System Primer] [TSK Overview and Automated Scanning, Brian Carrier]
Readings: Texbook Chapter 5, 14

Bell, G.B. and Boddington, R. (2010) Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? Journal of Digital Forensics, Security and Law, 5 (3). pp. 1-20.

Week 4, Sept 21 Guest Lecture: Arnur Tokhtabayev

Software Forensics & Malware Analysis
Week 5, Sept 28

LAB: Open Source Digital Forensics Tools (II)

DEFT Linux (DEFT Computer Forensics Live CD) [GMU Link] [Direct Link]
DEFT Manual [PDF]

Project and Teams

Assignment I (Optional, Extra Credit, Due before Oct. 19th) [PDF]

Week 6, Oct 5

Introduction to Mobile (Android) Systems [PDF]

Android Programming Resources
Google Android SDK [HTML]
Developer's Guide [HTML]
Android Emulator [HTML]
Android Debug Bridge [HTML]

Security Enforcement in Mobile Devices
Open Lab - Application Development for Android
Android Programming Model using HTML for the UI [HTML]
Android Kernel Programming How To [HTML]
IBM's Tapping into Android Sensors' Page [HTML]

Week 7, Oct 12

Guest Lecture: Arnur Tokhtabayev

Software Forensics & Malware Analysis II [PDF]

Assignment II (Optional, Extra Credit, Due before Nov. 8th) [PDF]

Week 8, Oct 19

Network Forensics - Challenges and Open Problems [PDF]


  1. Passive Network Forensics: Behavioural Classification of Network Hosts Based
    on Connection Patterns, John McHugh et. al. [ACM] [PDF]
  2. New Payload Attribution Methods for Network Forensic Investigations,
    Miroslav Ponec et. al. [PDF]
  3. Forensic carving of network packets and associated data structures,
    Simson Garfinkel et. al. [PDF]
Discuss Network wide scenario reconstruction, Trace-Back
Week 9, Oct 26

bulk_extractor: A Stream-Based Forensics Tool [PDF] [Working paper]

Professor Simson L. Garfinkel, Naval Postgraduate School [Web Page]

Week 5, Nov 2

Project II Discussion & Student Groups

Memory Forensics & Anti-Forensics - the value of Digital Evidence

- Finding Digital Evidence In Physical Memory, Mariusz Burdach, BH06 [PDF]

- Physical Memory Forensics for Files and Cache, Jamie Butler and Justin Murdock, BH11 [PDF]

- Anti-Forensics, The Rootkit Connection, Bill Blunden, BH09 [PDF]

Week 11, Nov 9

Steganography, Steganalysis, & Information Hiding

- Steganography, Steganalysis, & Cryptanalysis, Michael T. Raggo,VeriSign [PDF]

- Hide and Seek: An Introduction to Steganography, Niels Provos et al. [PDF]

- Steganography and Steganalysis: Different Approaches, Soumyendu Das et al. [PDF]

Project I is Due

Week 12, Nov 16

Legally Authorized Surveillance: Problems and Solutions [PDF]

Professor Micah Sherr, Georgetown University [Web Page]

Steganography Challenge [Link]

Week 13, Nov 23
No Lecture - Thanksgiving Recess

Assignment 2 is Due
Week 14, Nov 30
Steganography, Steganalysis, & Information Hiding II

Image Steganography & Steganalysis [PDF]

- Steganography Capacity: A Steganalysis Perspective [PDF]
R. Chandramoulia and N.D. Memon

- Blind Statistical Steganalysis of Additive Steganography Using Wavelet Higher Order Statistics
Taras Holotyak et al.

Week 15, Dec 7

Class Recap and Discussion Lessons Learned

Week 16, Dec 14

Final Project Presentations (Each team, Discussion)

Project II writeup is Due
Home -  Publications - Teaching - CV - Contact

Last updated:
Please feel free to send your comments and suggestions to Angelos Stavrou.
© 2010 Angelos Stavrou, Computer Science Department, George Mason University.