COE589: Digital Forensics - Spring 2013 (122)

Lecture: Sunday/Tuesday | 18:30-19:45 | 24/114
Instructor: Ahmad Almulhem
Office: 22/407-2
Email: ahmadsm at kfupm
Office Hours:Saturday/Sunday/Monday/Tuesday 11:00 - 12:00 and by appointment (email me)

Course Description

COE589 is a research-oriented graduate course in digital forensics. It aims to provide an extensive background suitable for those interested in conducting research in this area, as well as for those interested to learn about digital forensics in general. The course focuses on the technical issues and open problems in the area. Topics include fundamentals of digital forensics; digital forensics models, multimedia forensics; OS artifacts forensics; file carving; live and memory forensics; network forensics; mobile devices forensics; current tools and their limitations; legal and ethical issues.

A note on ethics: Techniques and tools discussed in class are strictly for educational purpose. DO NOT try them on a system/data that you don't own or for which you don't have permission. Otherwise, you might get yourself in serious legal consequences.


Graduate standing. A student is expected to have basic knowledge in operating systems, computer architecture and programming.

Course Outcomes


There is no required textbook. All readings are from selected research papers and reports.



Homework (30%)

Homework assignments consist of writing a reflection upon each paper you read. Specific instructions and submission will be through webCT. All Homework assignments are to be done individually. Submission deadline is Sunday 12:00PM for papers discussed in Sunday class, and Tuesday 12:00PM for papers discussed in Tuesday class. Deadlines are strict and no late submission will be accepted.

Paper Presentations (15%)

During the course, you will present two or three papers depending on the class size. When it is your turn to present a paper, your homework submission will be a presentation slides instead of the usual reflection homework assignment. The presentation must be prepared as a 50-60 minutes lecture allowing for about 15 minutes for questioning and discussion. The presenter has to provide any necessary background materials which may require some research on his part. Evaluation is based on the presentation quality and on adhering to the following guidelines:

Class Discussion (10%)

The rules regarding class discussion are as follows:

Project (45%)

A research-oriented project is the most significant component in this class. It may cover any topic of interest in digital forensics. You are encouraged to start thinking of a topic early, and to be creative and ambitious! A project should to be done in teams of two at most. Individual projects are also accepted upon instructor's consent.

The project will progress as follows:

Weekly Schedule

WK Date Topic Reading Notes Presenter
1 1/27 Overview and Logistics slides Ahmad Almulhem
1/29 Digital Forensics slides Ahmad Almulhem
2 2/3 Research in Digital Forensics K. Nance et al, "Digital Forensics: Defining a research agenda", HICSS'09
S. Garfinkel, "Digital forensics research: The next 10 years", Digital Investigation 2010
slides Ahmad Almulhem
2/5 Reading Papers P. Fong, "Reading a computer science research paper", ACM SIGCSE Bulletin 2009
S. Keshav, "How to Read a Paper", ACM SIGCOMM Computer Communication Review, 2007
"Writing Technical Articles", H. Schulzrinne
slides Ahmad Almulhem
3 2/10 Investiation Framework Ieong, Ricci SC. "FORZA - Digital forensics investigation framework that incorporate legal issues." digital investigation 3 (2006): 29-36. slides Abdiwahid Ahmed
2/12 Windows Forensics Carvey, Harlan. "The Windows Registry as a forensic resource." Digital Investigation 2.3 (2005): 201-205. slides Azzat Ahmed
4 2/17 Time and Forensics Chow, K. P., et al. "The Rules of Time on NTFS File System." Systematic Approaches to Digital Forensic Engineering, 2007. SADFE 2007. Second International Workshop on. IEEE, 2007.
Case Study: Boyd, Chris, and Pete Forster. "Time and date issues in forensic computing - a case study." Digital Investigation 1.1 (2004): 18-23.
slides Muhammad Naseer
2/19 Timeline Hargreaves, Christopher, and Jonathan Patterson. "An automated timeline reconstruction approach for digital forensic investigations." Digital Investigation 9 (2012): S69-S79. slides Manaf Bin Yahya
5 2/24 File Carving Richard III, Golden G., and Vassil Roussev. "Scalpel: A frugal, high performance file carver." Proceedings of the 2005 digital forensics research workshop (DFRWS 2005). 2005. slides Muhammad Naseer
2/26 File Carving Veenman, Cor J. "Statistical disk cluster classification for file carving." Information Assurance and Security, 2007. IAS 2007. Third International Symposium on. IEEE, 2007. slides Iyad Shaheen
6 3/3 Live Forensics Carrier, Brian D., and Joe Grand. "A hardware-based memory acquisition procedure for digital investigations." Digital Investigation 1.1 (2004): 50-60. slides MD Haque
3/5 Live Forensics Hay, Brian, and Kara Nance. "Forensics examination of volatile system data using virtual introspection." ACM SIGOPS Operating Systems Review 42.3 (2008): 74-82. slides MD Haque
7 3/10 Mobile Forensics Lessard, Jeff, and Gary Kessler. "Android Forensics: Simplifying Cell Phone Examinations." (2010).Small Scale Digital Device Forensics Journal Vol. 4, No.1, September 2010 slides Manaf Bin Yahya
3/12 Free Talk
8 3/17 Project Proposal Discussion
3/19 Project Proposal due
Midterm Vacation
9 3/31 Project Related-Work Discussion
4/2 Project Related-Work Due
10 4/7 Cloud Forensics Chung, Hyunji, et al. "Digital forensic investigation of cloud storage services." Digital Investigation (2012). slides Abdiwahid Ahmed
4/9 Mobile Forensics Simao, et al. "Acquisition and Analysis of Digital Evidence in Android Smartphones." FORENSIC COMPUTER SCIENCE IJoFCS: 28. slides Abubakar Bala
11 4/14 Email Investigations Persaud, Anthony, and Yong Guan. "A Framework for Email Investigations." Advances in Digital Forensics (2005): 79-90. slides Abubakar Bala
4/16 IM Forensics Orebaugh, Angela, and Jeremy Allnutt. "Classification of instant messaging communications for forensics analysis." The International Journal of Forensics Computer Science (2009): 22-28. slides Azzat Ahmed
12 4/21 Anti-Forensics Casey, Eoghan, and Gerasimos J. Stellatos. "The impact of full disk encryption on digital forensics." ACM SIGOPS Operating Systems Review 42.3 (2008): 93-98. Iyad Shaheen
4/23 Free Talk
13 4/28 Project Status Update discussion
4/30 Project Status Update Due
14 5/5 Free Talk
5/7 Free Talk
15 5/12 Project Demo
5/14 Project Demo/ Final Paper due