XL002906_2023-4_TR1_001 - Host-Based Forensics
(CSN11126/CSN11125)
Dashboard
My courses
XL002906 2023-4 TR1 001
Welcome to CSN11125/CSN11126 Host-Based Forensics.
This module is for on campus, distance learning, part-time and full-time students. It focuses o
CAINE as the forensic analysis tool. As CAINE is a Linux-based environment, the course also in
Teaching Team
Module Leader Robert Ludwiniak - email: r.ludwiniak@napier.ac.uk +44 (0)131 455 2780 Roo
Skype ID: robert_ludwiniak; WebEx private room - https://edinburghnapier.webex.com/meet/m
Lecturer Dr. Petra Leimich - email: p.leimich@napier.ac.uk Room: C.49
The best way to contact me is via Teams chat. If you want to meet, please contact me via chat
You should make use of the Teams channels for communicating in general, but you can also u
account. Robert is the module leader, so general questions should usually be sent to him.
Announcements
General Questions and Chat
Please use the General Channel in Teams for questions and chat, and to discuss anythi
Reading List
Recordings - We will individually link relevant event recordings in moodle in the appropriate
you can find all recordings in Teams, in the Files > Recordings of the relevant folder immedia
folder; Thursday evening recordings folder.
Resource Booker
The JKCC and library desks do not need to be booked via Resource Booker. The library stud
any other space on-campus.
R
B
k
li k i t
l ti
t bl
d h
b
ki
h
Y
Resource Booker links into your personal timetable and shows any bookings you have. You
Napier. Here are the Resource Booker Guidelines for School of Computing Students.
Module Delivery
The module delivery will be as follow:
Lectures
Lectures will be delivered both live on campus on Friday at 11am in E17 and
streamed on Teams.
All lectures will be live and recorded using Teams and posted on Moodle.
Labs
Practical work will be hosted in a cloud environment on http://linuxzoo.net using
CAINE.
Practical sessions for on campus students will be delivered in C27 on Friday at 9am.
Engagement and Support
Regular weekly online Teams meetings, which will be hosted by Robert or Petra and
can be used as a drop-in synchronous discussion session. These meetings will be on
Thursdays at 6pm. All students are welcome.
Email and Module Discussion Forum will be used for asynchronous support
throughout the teaching weeks.
Assessments
Short answer class test - 30%
Practical Test using linuxzoo - 40%
Coursework - 30%
All assessment dates will be confirmed in near future.
Module Overview
Description of module content:
This module will cover elements of operating system disk-level architectures, such as
Windows and Linux. This will allow students to study how operating systems store system
and user data, and thus students will gain an understanding as to what information could
technically be held on such systems. This data could include user files, as well as user
activities such as login session data, browsing histories, operating system manipulation,
and general user interactions with a variety of operating system tools. This understanding
will be expanded through theoretical knowledge and practical exercises in extracting
information from systems, using a variety of open source and commercial forensic analysis
tools, and documenting the results of such a process using consistent and thorough
evidential procedures. This includes the production of event timelines, as well as the
analysis of system logs, operating system state, file systems, and application data. The
module will also consider the ethical and professional issues related to digital forensics.
Learning Outcomes for module:
On completion of this module, students will be able to:
LO1: Develop the analytical and practical skills needed to access, process, and manipulate
disk-based user and operating system data using standard operating system commands.
LO2: Identify and evaluate the key transient and persistent information which may be held in
operating system disk images.
LO3: Develop techniques related to the academic principles, ethics, sound forensic methods,
and practical skills required to analyse a range of end host devices using current forensic
tools and techniques.
LO4: Research, evaluate and critically analyse end host devices as part of a complex
forensic investigation.
Reading List
Module Schedule
Date (w/b)
11/09/2023
Week
No.*
2
Lecture Topic
18/09/2023
3
25/09/2023
4
02/10/2023
09/10/2023
16/10/2023
5
6
7
23/10/2023
8
30/10/2023
9
06/11/2023
10
13/11/2023
11
Windows Artifacts & Windows
Registry (RL)
20/11/2023
12
Mobile Forensics (RL)
27/11/2023
04/12/2023
13
14
Cloud Forensics (PL)
Revision
11/12/2023
15
Module Administration
Introduction to Forensics
Acquisition (RL)
Advanced Linux DD/GREP/offsets (RL)
Storage - Disks/partitions/Boot
process (RL)
File Systems 1 (FAT & ExFAT) (PL)
File Systems 2 (NTFS) (RL)
Ethics - Legal - Triage (PL)
*Assessment 1 – Short Answer
Exam
File Metadata and File Recovery
(RL)
Browsers (PL)
Lab
Acquisition
SysIntro, GREP
MBR, GPT
FAT & ExFAT
NTFS
Catch-up session
*Assessment 3 handout
Catch-up session
File_Recovery_metadata
File_Recovery_tools
Browser - linuxzoo
Windows Artifacts - pdf
version under week 11
tab.
Registry - pdf version
under week 11 tab.
Catch-up session
*Assessment 2 –
Practical Exam
*Assessment 3 – handin
NOTE: The Lecture and LABs schedule presented above may change - new labs will be
added due course and the order of lectures may change to accommodate guest speakers.
Module Communications
This section contains communications spaces used for the module. The General channel on
Teams can be used to ask questions and discuss any general topic on the module, for
general issues as well as coursework discussions.
The "DL Support" channel is a weekly online Teams meeting, which will be hosted by Robert
or Petra and can be used as a drop-in synchronous discussion session. All students - DL and
on campus are welcome.
The lectures and practical sessions will be hosted on campus:
Live lectures will be delivered every Friday at 11:00am in E17 (British time)
Live lectures will be delivered every Friday at 11:00am in E17. (British time)
Practical sessions (on campus) will be delivered every Friday at 9am in C27. (British
time)
Support session for DL students every Thursday at 6pm (British time).
Assessments
Assessment 1 (30% of module)
This is a short-answer test in week 8. The test is based on all materials covered up to and
including week 7 in the module schedule. The exam is supervised, open book and the
duration of the test is 2 hours. The test will run in Moodle.
Assessment 2 (40% of module)
This assessment is a practical exam in week 14. The exam will run from
http://linuxzoo.net/exam.cgi and has a similar format to the Linuxzoo labs. The exam is
open book, and the duration of the test is 2 hours.
Assessment 3 (30% of module)
This is a written report, to be submitted in week 14. The coursework requirement
specification can be found in the "coursework" section below.
Three assessment elements are used in this module to generate an overall mark for the
module. The overall module mark will be based on the weighted marks achieved for each of
the three elements of the assessment. So, test%mark*0.3 +practicalexam%mark*0.4 +
coursework%mark*0.3 = module % mark. This will then be aligned to a grade band
associated with the Master level from F5-D5. See the course Moodle page for Master
grading band information.
Assessment 1 (30% of module)
This is a short-answer exam in week 8 on 27th of October. The test is based on all
materials covered up to and including week 7 in the module schedule. The exam is
supervised, open book and the duration is 2 hours.
On campus students only - your class test will start at 9am in C27.
DL students only - we will have 2 sessions available for the test. Space is limited
at each one, so its first come first served. Please choose the session you are
going to attend in order to sit Assessment 1 - link below. Remember we will be
using Teams for this test and you will require external webcam to view both you
and your screen (e.g. from a slightly side-on view). A webcam in your laptop will
not be useful here, however you can use your mobile phone with webcam pointing
at your screen. Be ready 10 minutes before the start.
Assessment 1 Session Choice - DL students only
Please choose the session you are going to "virtually" attend in order to sit
Assessment 1. Remember we will be using Teams for this test.
There are two sessions, starting at 2pm and at 6pm, both on Friday, 27th
October. The evening session is designated for DL students that cannot attend
during the day due to work and/or family commitments. Therefore, if you can
attend during the day please choose the 2pm session.
Assessment 2 (40% of module)
This assessment is a practical exercise, similar in nature to that of a linuxzoo
f
tutorial exercise. This happens in week 14 on Friday the 8th of December 2023.
On campus students - the exam will be from 11am to 1pm in Room C27 and is
supervised. https://linuxzoo.net/exam.cgi.
DL students - you can start the exam any time between 8am and 9pm
UTC/GMT. For DL students, the test is unsupervised. Password - "Final Exam"
The exam is at https://linuxzoo.net/exam.cgi. We will provide the password on
the day of the exam (It will be emailed to DL students in the morning of the 8/12).
The test is open book, so you can use the internet to search for solutions if you
wish. This Test is based on practical work that you have covered in the module.
You MUST NOT help other students, receive help from others, post questions on
the internet, use generative AI, share the questions with others or share your
answers with others.
See the lecture and recording in Week 13 for more information.
Coursework
Coursework Specification
Coursework presentation will be on Thursday the 2nd at 6pm on DL Support
channel. It will be recorded.
Coursework information and requirements
Referencing and Plagiarism
TurnitinUK
Turnitin - coursework submission 2023/24
You will get 0% if you do not submit to Turnitin. If you do submit and your similarity
index is too high, then it is at the discretion of the module leader to report the
matter to the Academic Integrity Officer for investigation.
Forensic tools and images
AXIOM - Student Manual
PDF document
AXIOM - forensic tool - download
Activate your license
You can activate your license from a computer with an internet connection.
1. In AXIOM Process or AXIOM Examine, click Help > Licensing > CLS.
2. In the Magnet License Manager, click Activate license.
3. In the Product drop-down list, click AXIOM / AXIOM Cyber.
4. In the License type drop-down list, select CLS.
5. Under Cloud license server (CLS) license, provide your activation code.
6. Click Activate.
7 Click Close
7. Click Close.
8. Restart Magnet AXIOM.
Your activation code is:
efdb-a989-f450-46aa-95d2-0fcb-e329-1221
For the purpose of the labs, you will need forensic images. There are three major
images Guzman, Mick, and Steph-Filipe. Each major forensic image is composed
of multiple files ending with an extension E01...E0X. You need to download all the
files.
Guzman Forensic Image:
http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Guzman/Guzman
Drive.E0X --> there are 8 files with extension E01...E08 therefore substitute "X"
with number 1 to 8.
Mick Forensic Image:
http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Mick/Mick.E0X -->
there are 7 files with extension E01...E07 therefore substitute "X" with number 1 to
7.
Steph-Filipe Forensic Image:
http://socrdlvideo.napier.ac.uk/modules/misc/CSN09111/Steph-Filipe/StephFilipe.E0X --> there are 8 files with extension E01...E08 therefore substitute "X"
with number 1 to 8.
OneDrive - link to the forensic images - download
May be faster than the server links below. You can move this to your own OneDrive
if you don't have space!
LABS based on AXIOM
Lab - Introducion to AXIOM
PDF document
Prep Material for class test 1
Essentials
File permissions
Regular Expressions
Essential Linux for Forensics
Disks and Partitions
Acquisition
File System analysis and FAT