COE589: Digital Forensics - Fall 2012 (121)

Lecture: Sunday/Tuesday | 18:30-19:45 | 24/149
Instructor: Ahmad Almulhem
Office: 22/407-2
Email: ahmadsm at kfupm
Office Hours:Sunday/Tuesday 11:15 - 12:50 and by appointment (email me)

Course Description

COE589 is a research-oriented graduate course in digital forensics. It aims to provide an extensive background suitable for those interested in conducting research in this area, as well as for those interested to learn about digital forensics in general. The course focuses on the technical issues and open problems in the area. Topics include fundamentals of digital forensics; digital forensics models, multimedia forensics; OS artifacts forensics; file carving; live and memory forensics; network forensics; mobile devices forensics; current tools and their limitations; legal and ethical issues.

A note on ethics: Techniques and tools discussed in class are strictly for educational purpose. DO NOT try them on a system/data that you don't own or for which you don't have permission. Otherwise, you might get yourself in serious legal consequences.


Graduate standing. A student is expected to have basic knowledge in operating systems, computer architecture and programming.

Course Outcomes


There is no required textbook. All readings are from selected research papers and reports.




Homework assignments consist of writing a reflection upon each paper you read. Specific instructions and submission will be through webCT. All Homework assignments are to be done individually. Submission deadline is Saturday 11:59PM for papers discussed in Sunday class, and Monday 11:59PM for papers discussed in Tuesday class. Deadlines are strict and no late submission will be accepted. For overall homework grade, I will drop your 2 lowest-scoring homework assignments.

Paper Presentations

During the course, you will present two or three papers depending on the class size. When it is your turn to present a paper, your homework submission will be a presentation slides instead of the usual reflection homework assignment. The presentation has to be prepared as a full lecture allowing 15-20 minutes for questioning and discussion.


A research-oriented project is the most significant component in this class. It may cover any topic of interest in digital forensics. You are encouraged to start thinking of a topic early, and to be creative and ambitious! A project should to be done in teams of two at most. Individual projects are also accepted upon instructor's consent.

The project will progress as follows:

Weekly Schedule

WK Date Topic Reading Notes Presenter
1 9/2 Overview and Logistics slides Ahmad Almulhem
9/4 Digital Forensics slides Ahmad Almulhem
2 9/9 Research in Digital Forensics "Digital Forensics: Defining a research agenda", K. Nance et al, HICSS'09
"Digital forensics research: The next 10 years", S. Garfinkel, Digital Investigation 2010
slides1, slides2 Ahmad Almulhem
9/11 Reading Papers "Reading a computer science research paper", P. Fong, ACM SIGCSE Bulletin 2009
"How to Read a Paper", S. Keshav, ACM SIGCOMM Computer Communication Review, 2007
"Writing Technical Articles", H. Schulzrinne
slides Ahmad Almulhem
3 9/16 Multimedia Forensics "Forensics Investigations of Multimedia Data: A Review of the State-of-the-Art", R. Poisel, IMF 2011 slides1,
Muhammad Qureshi
9/18 Image Forgery "A robust detection algorithm for copy-move forgery in digital images", Y. Cao, Forensic science international 2011
Optional Reading: "Image Forgery Detection", H. Farid, IEEE signal processing magazine 2009
Issam Laradji
4 9/23 National Holiday (No Class)
9/25 Gender Identification "Author gender identification from text", N. Cheng et al, Digital Investigation 2011 slides Elhebri Khiari
5 9/30 File Carving "The evolution of file carving", A. Pal et al, IEEE Signal Processing Magazine 2009 slides Muhammad Butt
10/2 File Carving "Carving contiguous and fragmented files with fast object validation", S. Garfinkel, DFRWS 2007 slides Faizuddin Mohammad
6 10/7 File Carving "Using NLP Techniques for File Fragment Classification", S. Fitzgerald et al, DFRWS 2012 slides1, slides2 Allam Fatayer
10/9 File Carving "Bin-Carver: Automatic Recovery of Binary Executable Files", S. Hand et al, DFRWS 2012 slides1, slides2 Mohammed Siddiqui
7 10/14 Project Proposal Discussion (bring 3 topics/papers to discuss)
10/16 Project Proposal due (15 min presentation in class + write-up)
Eid Break
8 11/4 Live Forensics "A survey of main memory acquisition and analysis techniques for the windows operating system", S. Vomel, Digital Investigation 2011
Optional Reading: "Forensic physical memory analysis: an overview of tools and techniques", G. Garcia, Helsinki University 2007
slides Faizuddin Mohammad
11/6 Live Forensic (introspection) "Forensics examination of volatile system data using virtual introspection", B. Hay, ACM SIGOPS Operating Systems Review 2008 slides Allam Fatayer
9 11/11 Project Related-Work Discussion
11/13 Project Related-Work Due (15 min presentation in class + write-up)
10 11/18 Network Forensics "Forensic Investigation of Peer-to-Peer File Sharing Network", M. Liberatore et al, DFRWS 2010 slides1, slides2 Danish Sattar
11/20 Network Forensics (Packet Carving) "Forensic Carving of Network Packets and Associated Data Structures", R. Beverly et al, DFRWS 2012 slides Ibrahim BenDaya
11 11/25 Mobile Forensic "Towards a General Collection Methodology for Android Devices", T. Vidas, DFRWS 2011
Optional Reading: "Forensics and the GSM mobile telephone system", S. Willassen, International Journal of Digital Evidence 2003
slides1, slides2 Muhammad Qureshi
11/27 Mobile Forensic "Social Networking Applications on Mobile Devices", N. Mutawa et al, DFRWS 2012 slides1, slides2 Elhebri Khiari
12 12/2 High Performance Forensics "Massive Threading: Using GPUs to Increase the Performance of Digital Forensics Tools", L. Marziale et al, DFRWS 2007 slides1, slides2 Muhammad Butt
12/4 Software Forensics "Software Forensics: Extending Authorship Analysis Techniques to Computer Programs", A. Gray et al, IAFL 1997 slides Mohammed Siddiqui
13 12/9 Project Status Update discussion
12/11 Project Status Update Due (15 min presentation in class + 1st draft)
14 12/16 Differential Forensic "A General Strategy for Differential Forensic Analysis", S. Garfinkel et al, DFRWS 2012 slides1, slides2 Issam Laradji
12/18 Large Scale Forensics "Lessons Learned Writing Computer Forensics Tools and Managing a Large Digital Evidence Corpus", S. Garfinkel, DFRWS 2012 slides Danish Sattar
15 12/23 Project Final Presentations
12/25 Project Final Presentations/ Final Paper due
16 12/29 Review