XL002906_2023-4_TR1_001 - Host-Based Forensics (CSN11126/CSN11125) Dashboard My courses XL002906 2023-4 TR1 001 Welcome to CSN11125/CSN11126 Host-Based Forensics. This module is for on campus, distance learning, part-time and full-time students. It focuses o CAINE as the forensic analysis tool. As CAINE is a Linux-based environment, the course also in Teaching Team Module Leader Robert Ludwiniak - email: r.ludwiniak@napier.ac.uk +44 (0)131 455 2780 Roo Skype ID: robert_ludwiniak; WebEx private room - https://edinburghnapier.webex.com/meet/m Lecturer Dr. Petra Leimich - email: p.leimich@napier.ac.uk Room: C.49 The best way to contact me is via Teams chat. If you want to meet, please contact me via chat You should make use of the Teams channels for communicating in general, but you can also u account. Robert is the module leader, so general questions should usually be sent to him. Announcements General Questions and Chat Please use the General Channel in Teams for questions and chat, and to discuss anythi Reading List Recordings - We will individually link relevant event recordings in moodle in the appropriate you can find all recordings in Teams, in the Files > Recordings of the relevant folder immedia folder; Thursday evening recordings folder. Resource Booker The JKCC and library desks do not need to be booked via Resource Booker. The library stud any other space on-campus. R B k li k i t l ti t bl d h b ki h Y Resource Booker links into your personal timetable and shows any bookings you have. You Napier. Here are the Resource Booker Guidelines for School of Computing Students. Module Delivery The module delivery will be as follow: Lectures Lectures will be delivered both live on campus on Friday at 11am in E17 and streamed on Teams. All lectures will be live and recorded using Teams and posted on Moodle. Labs Practical work will be hosted in a cloud environment on http://linuxzoo.net using CAINE. Practical sessions for on campus students will be delivered in C27 on Friday at 9am. Engagement and Support Regular weekly online Teams meetings, which will be hosted by Robert or Petra and can be used as a drop-in synchronous discussion session. These meetings will be on Thursdays at 6pm. All students are welcome. Email and Module Discussion Forum will be used for asynchronous support throughout the teaching weeks. Assessments Short answer class test - 30% Practical Test using linuxzoo - 40% Coursework - 30% All assessment dates will be confirmed in near future. Module Overview Description of module content: This module will cover elements of operating system disk-level architectures, such as Windows and Linux. This will allow students to study how operating systems store system and user data, and thus students will gain an understanding as to what information could technically be held on such systems. This data could include user files, as well as user activities such as login session data, browsing histories, operating system manipulation, and general user interactions with a variety of operating system tools. This understanding will be expanded through theoretical knowledge and practical exercises in extracting information from systems, using a variety of open source and commercial forensic analysis tools, and documenting the results of such a process using consistent and thorough evidential procedures. This includes the production of event timelines, as well as the analysis of system logs, operating system state, file systems, and application data. The module will also consider the ethical and professional issues related to digital forensics. Learning Outcomes for module: On completion of this module, students will be able to: LO1: Develop the analytical and practical skills needed to access, process, and manipulate disk-based user and operating system data using standard operating system commands. LO2: Identify and evaluate the key transient and persistent information which may be held in operating system disk images. LO3: Develop techniques related to the academic principles, ethics, sound forensic methods, and practical skills required to analyse a range of end host devices using current forensic tools and techniques. LO4: Research, evaluate and critically analyse end host devices as part of a complex forensic investigation. Reading List Module Schedule Date (w/b) 11/09/2023 Week No.* 2 Lecture Topic 18/09/2023 3 25/09/2023 4 02/10/2023 09/10/2023 16/10/2023 5 6 7 23/10/2023 8 30/10/2023 9 06/11/2023 10 13/11/2023 11 Windows Artifacts & Windows Registry (RL) 20/11/2023 12 Mobile Forensics (RL) 27/11/2023 04/12/2023 13 14 Cloud Forensics (PL) Revision 11/12/2023 15 Module Administration Introduction to Forensics Acquisition (RL) Advanced Linux DD/GREP/offsets (RL) Storage - Disks/partitions/Boot process (RL) File Systems 1 (FAT & ExFAT) (PL) File Systems 2 (NTFS) (RL) Ethics - Legal - Triage (PL) *Assessment 1 – Short Answer Exam File Metadata and File Recovery (RL) Browsers (PL) Lab Acquisition SysIntro, GREP MBR, GPT FAT & ExFAT NTFS Catch-up session *Assessment 3 handout Catch-up session File_Recovery_metadata File_Recovery_tools Browser - linuxzoo Windows Artifacts - pdf version under week 11 tab. Registry - pdf version under week 11 tab. Catch-up session *Assessment 2 – Practical Exam *Assessment 3 – handin NOTE: The Lecture and LABs schedule presented above may change - new labs will be added due course and the order of lectures may change to accommodate guest speakers. Module Communications This section contains communications spaces used for the module. The General channel on Teams can be used to ask questions and discuss any general topic on the module, for general issues as well as coursework discussions. The "DL Support" channel is a weekly online Teams meeting, which will be hosted by Robert or Petra and can be used as a drop-in synchronous discussion session. All students - DL and on campus are welcome. The lectures and practical sessions will be hosted on campus: Live lectures will be delivered every Friday at 11:00am in E17 (British time) Live lectures will be delivered every Friday at 11:00am in E17. (British time) Practical sessions (on campus) will be delivered every Friday at 9am in C27. (British time) Support session for DL students every Thursday at 6pm (British time). Assessments Assessment 1 (30% of module) This is a short-answer test in week 8. The test is based on all materials covered up to and including week 7 in the module schedule. The exam is supervised, open book and the duration of the test is 2 hours. The test will run in Moodle. Assessment 2 (40% of module) This assessment is a practical exam in week 14. The exam will run from http://linuxzoo.net/exam.cgi and has a similar format to the Linuxzoo labs. The exam is open book, and the duration of the test is 2 hours. Assessment 3 (30% of module) This is a written report, to be submitted in week 14. The coursework requirement specification can be found in the "coursework" section below. Three assessment elements are used in this module to generate an overall mark for the module. The overall module mark will be based on the weighted marks achieved for each of the three elements of the assessment. So, test%mark*0.3 +practicalexam%mark*0.4 + coursework%mark*0.3 = module % mark. This will then be aligned to a grade band associated with the Master level from F5-D5. See the course Moodle page for Master grading band information. Assessment 1 (30% of module) This is a short-answer exam in week 8 on 27th of October. The test is based on all materials covered up to and including week 7 in the module schedule. The exam is supervised, open book and the duration is 2 hours. On campus students only - your class test will start at 9am in C27. DL students only - we will have 2 sessions available for the test. Space is limited at each one, so its first come first served. Please choose the session you are going to attend in order to sit Assessment 1 - link below. Remember we will be using Teams for this test and you will require external webcam to view both you and your screen (e.g. from a slightly side-on view). A webcam in your laptop will not be useful here, however you can use your mobile phone with webcam pointing at your screen. Be ready 10 minutes before the start. Assessment 1 Session Choice - DL students only Please choose the session you are going to "virtually" attend in order to sit Assessment 1. Remember we will be using Teams for this test. There are two sessions, starting at 2pm and at 6pm, both on Friday, 27th October. The evening session is designated for DL students that cannot attend during the day due to work and/or family commitments. Therefore, if you can attend during the day please choose the 2pm session. Assessment 2 (40% of module) This assessment is a practical exercise, similar in nature to that of a linuxzoo f tutorial exercise. This happens in week 14 on Friday the 8th of December 2023. On campus students - the exam will be from 11am to 1pm in Room C27 and is supervised. https://linuxzoo.net/exam.cgi. DL students - you can start the exam any time between 8am and 9pm UTC/GMT. For DL students, the test is unsupervised. Password - "Final Exam" The exam is at https://linuxzoo.net/exam.cgi. We will provide the password on the day of the exam (It will be emailed to DL students in the morning of the 8/12). The test is open book, so you can use the internet to search for solutions if you wish. This Test is based on practical work that you have covered in the module. You MUST NOT help other students, receive help from others, post questions on the internet, use generative AI, share the questions with others or share your answers with others. See the lecture and recording in Week 13 for more information. Coursework Coursework Specification Coursework presentation will be on Thursday the 2nd at 6pm on DL Support channel. It will be recorded. Coursework information and requirements Referencing and Plagiarism TurnitinUK Turnitin - coursework submission 2023/24 You will get 0% if you do not submit to Turnitin. If you do submit and your similarity index is too high, then it is at the discretion of the module leader to report the matter to the Academic Integrity Officer for investigation. Forensic tools and images AXIOM - Student Manual PDF document AXIOM - forensic tool - download Activate your license You can activate your license from a computer with an internet connection. 1. In AXIOM Process or AXIOM Examine, click Help > Licensing > CLS. 2. In the Magnet License Manager, click Activate license. 3. In the Product drop-down list, click AXIOM / AXIOM Cyber. 4. In the License type drop-down list, select CLS. 5. Under Cloud license server (CLS) license, provide your activation code. 6. Click Activate. 7 Click Close 7. Click Close. 8. Restart Magnet AXIOM. Your activation code is: efdb-a989-f450-46aa-95d2-0fcb-e329-1221 For the purpose of the labs, you will need forensic images. There are three major images Guzman, Mick, and Steph-Filipe. Each major forensic image is composed of multiple files ending with an extension E01...E0X. You need to download all the files. Guzman Forensic Image: http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Guzman/Guzman Drive.E0X --> there are 8 files with extension E01...E08 therefore substitute "X" with number 1 to 8. Mick Forensic Image: http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Mick/Mick.E0X --> there are 7 files with extension E01...E07 therefore substitute "X" with number 1 to 7. Steph-Filipe Forensic Image: http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Steph-Filipe/StephFilipe.E0X --> there are 8 files with extension E01...E08 therefore substitute "X" with number 1 to 8. OneDrive - link to the forensic images - download May be faster than the server links below. You can move this to your own OneDrive if you don't have space! LABS based on AXIOM Lab - Introducion to AXIOM PDF document Prep Material for class test 1 Essentials File permissions Regular Expressions Essential Linux for Forensics Disks and Partitions Acquisition File System analysis and FAT