CIS 294 – Advanced Data Recovery & Clean Room
Operations
SPRING QUARTER 2013 / ITEM 2614 SECTION A / 5 CREDITS
SATURDAYS NOON – 5:15 PM * 5/11/2013 THROUGH 6/08/2013
1. INSTRUCTORS
Steve Hailey - ACE, CEH, CEI, CDRE, CISSP, DFCP
Richard Leickly – MS, DFE, CDRE, CHFI, CIH
David Angell – BS, DFE, CDRE
2. PREREQUISITES
CIS 293 with a grade of at least 2.5 or instructor's permission.
3. INSTRUCTOR CONTACT INFORMATION / OFFICE HOURS
Steve Hailey: shailey@edcc.edu
Richard Leickly: richard.leickly@email.edcc.edu
David Angell: david.angell@email.edcc.edu
4. OPEN LAB TIMES – SNOHOMISH HALL ROOM 123
SEE THE “OPEN LABS” SECTION IN BLACKBOARD OR INFOSEC.EDCC.EDU
5. CLASS MEETS ON SATURDAYS NOON – 5:40 PM IN SNOHOMISH HALL ROOM 123
Saturday May 11, 2013
Saturday May 18, 2013
Saturday May 25, 2013
Saturday June 1, 2013
Saturday June 8, 2013
6.
DATES TO BE AWARE OF
May 17:
June 10:
June 14:
June 19:
June 21:
Last day to withdraw, add a continuous enrollment class, or change credit status
Web grading available to instructors through instructor briefcase
Last day of fall quarter
Grades are due
Grades available to students online
7. STUDENT UNDERSTANDING – DIGITAL FORENSICS/INFORMATION SECURITY CLASSES
You will be using software tools and methods in your digital forensics and information security courses that could
constitute a criminal act if used inappropriately or for malicious purposes.
Malicious computing practices, commonly known as "hacking," are illegal. Hacking activities can include, but are
not limited to, conducting denial-of-service attacks; unauthorized access of computer systems and computing
devices with the intent to view, delete or deposit files; defeating an authentication mechanism; unauthorized
“sniffing” or capturing network traffic. In many countries and states, existing laws prohibit such activities, and you
may be liable to criminal or civil prosecution if you engage in such acts.
The digital forensics and/or information security course(s) that you are enrolled in has/have been developed for the
purposes of teaching how to protect computing resources from malicious computing practices, and/or how to
investigate possible misuse or criminal activity where computing devices are used. The goal of the digital forensics
and/or information security classes is not to instruct in how to engage in illegal behavior (e.g., "hacking," as defined
above). Edmonds Community College does not explicitly or implicitly encourage student to use any tools, skills or
knowledge they may obtain to conduct activities that are considered unethical and/or illegal. Edmonds Community
College actively discourages any malicious, unethical or illegal use of the knowledge gained from the courses you
are enrolled in. Sniffing network traffic outside of instructor led or announced labs during class time is not allowed,
nor is using software to capture, display, and/or “crack” the passwords used by other students for their personal
accounts such as email.
Page 1 of 10
8. STUDENT EXPECTATIONS – AT HOME LABS AND ASSIGNMENTS
There will be labs and assignments for your classes that you will be expected to complete at home for CIS 272,
273, 293, and 294. The setup for all classes will be similar. The digital forensics and data recovery classes are
advanced classes – it is expected that students are able to install, troubleshoot and maintain a computer with the
required software to complete all assignments.
Understand that you must have access to a computer at home in order to take the digital forensic and data
recovery classes, and that you are expected to be able to install operating systems and software, troubleshoot,
maintain, and otherwise keep your system running. If you do not possess the skills to do this at this time, it is not
recommended that you take the digital forensic or data recovery courses yet, and that you see Steve Hailey to be
advised for proper placement in classes that you need prior to taking the advanced courses.
Due to the nature of the classes and the types of labs that we will be doing, it is possible that you could damage or
render inoperable the operating system that you are using for the labs. To be successful in performing the labs at
home, it is highly recommended that you do the following:
1. Install Windows XP Professional and any software you will be using for your class on a removable or separate
hard drive. If you chose to use Windows Vista or Windows 7 for your classes, you are expected to be able to set it
up properly. Understand that hundreds of students have used Vista/Windows 7 for their classes successfully, and
these operating systems will work with the digital forensic and data recovery software if configured properly. To
prevent you from having possible problems however, it is highly recommended that you use Windows XP
Professional. You can obtain a copy of Windows XP Professional at no cost through the Microsoft Developers
Network Academic Alliance. See the document named 1C.MSDNAA.pdf in the Course Materials section on
Blackboard. DO NOT USE “HOME” VERSIONS OF MICROSOFT OPERATING SYSTEMS FOR YOUR
FORENSIC/DATA RECOVERY WORKSTATION SETUP AT HOME.
2. Clone or image the hard drive so that it can be easily restored.
3. Use this hard drive for your classes. When performance slows or it is otherwise needed, restore the image to
this drive, or use the clone.
Lastly, do not store any personal information on this drive, or any information that you cannot afford to lose. If
using this drive for homework or assignments, be sure to back up any data on a regular basis.
DO NOT PERFORM ANY LABS AT HOME ON A SYSTEM THAT CONTAINS INFORMATION YOU CANNOT
LOSE, OR THAT CONTAINS PERSONAL INFORMATION SUCH AS BANK ACCOUNT AND CREDIT CARD
INFORMATION. UNDERSTAND THAT EDCC IS NOT RESPONSIBLE FOR YOUR PERSONAL COMPUTER
SYSTEMS IN ANY WAY. ONLY PERFORM LABS USING THE REMOVABLE HARD DRIVE THAT HAS BEEN
SETUP SPECIFICALLY FOR YOUR CLASSES AS DESCRIBED ABOVE.
9. USE OF DATA RECOVERY / FORENSIC SOFTWARE
You will need to install software on your computer at home in order to successfully complete this class. You are
expected to have a functioning system in order to keep up with the assignments and coursework – this is a
requirement.
10. DONGLE CHECKOUT
It should not be necessary to checkout an FTK dongle for the data recovery classes, but if one is needed, a
checkout form will be provided.
11. HOMEWORK AND READING ASSIGNMENTS: OVERVIEW
All homework is due at the beginning of class on the date due. Homework not turned in by this time will be
considered late. Manage your time appropriately and get your assignments in on time. We advise you to not wait
until the last minute to start on your homework.
Homework assignments will be assigned in accordance with the schedule in this syllabus, and due in accordance
with the schedule in this syllabus. If there is a variance to this for any reason whatsoever, the information will be
sent out to the class list using the email addresses provided by each student. The information will also be posted to
Blackboard.
Page 2 of 10
If there is a reading assignment for a particular week, this information will be sent out to the class list using the
email addresses provided by each student. The information will also be posted to Blackboard.
It is your responsibility to know when homework is due and to turn it in on time. Any essays and reports
need to be typed and a professional business tone used. We expect the same quality of work that you
would provide an employer. Points will be taken off for sloppy work.
IF YOU ARE UNSURE OF WHAT IS EXPECTED OR HAVE QUESTIONS REGARDING ANY HOMEWORK
ASSIGNMENT, OBTAIN CLARIFICATION FROM YOUR INSTRUCTOR. THIS IS YOUR RESPONSIBILITY. DO
NOT WAIT UNTIL THE DAY BEFORE OR DAY OF AN ASSIGNMENT BEING DUE TO OBTAIN
CLARIFICATION ABOUT THE ASSIGNMENT.
12. CLASS / ASSIGNMENTS OVERVIEW – SPRING QUARTER 2013
The assigned reading will be drawn from the CIS 294 Modules. The numbering shown may be different from the
numbering you see on the module. Module One – Part One is Module 1-1, Module One – Part Two is Module 1-2,
and do on. Also note that the page numbering inside the module may not be the same as what you see in your PDF
viewer. Always check to make sure the assigned section has the correct topic even if the pages don’t match. The
reading has been assigned to follow the lecture on that material. We recommend that you look over the reading
before you come to class if the topic is completely new to you. It is important to attend lectures – especially for the
demonstrations.
There isn’t enough time to cover everything in the Modules. You will only be responsible for the assigned reading.
The modules contain material on the Linux (ext) and Apple (HFS+) files systems that we will not have time to cover.
In the Course Materials section, there is a link to a file named CIS294READINGMODULES.zip. You are to
download this file that contains the reading modules and keep a copy for your own use. This link will be removed
after your first class.
13. ASSIGNMENT OUTLINE
There will an assignment outline and study guide posted by your first class. This assignment outline and study
guide will list all of the information that you are supposed to know for the class. You will want to review this as soon
as it is made available.
14. HOMEWORK /ADDITIONAL HANDS-ON EXPECTATIONS - TIME
A typical college course that runs twice a week during the normal quarter (not compressed or hybrid) consists of
two class meetings per week for approximately 11 weeks or 22 class meetings. This equates roughly to 5 ½ hours
per week of class time or approximately 60 hours, including labs and hands-on activities. We are going to have a
total of approximately 26 hours of time in class during the quarter. Your expectations should be to spend
approximately 30 hours or more total time outside of class working on homework and coming in for open lab.
Also, we have some very expensive equipment used for diagnosing hard drives and facilitating data recovery – the
same equipment used by professional data recovery businesses. It will behoove you to come in to open lab during
the week and gain familiarity with using this hardware. Becoming good at data recovery is similar to digital
forensics – it takes time and practice. How good you become is only limited by how much time you spend
practicing.
15. LATE HOMEWORK / ASSIGNMENTS
Homework/Reading assignments received after the due date up to one class late will be marked 20 points off. No
assignment will be accepted that is turned in more than 1 (one) class meeting after it is due. To turn in an
assignment late, you will need a password to access the assignment on Blackboard. You will need to
email the instructor for the password – this is your responsibility. We will not accept late assignments
after the last day of class.
It is imperative that you have your homework turned in on time. Be aware that material covered in a
homework assignment may be reviewed by the instructor the day that it is due. If you do not have an
assignment turned in on time, you will be asked to leave the class while the material is being reviewed.
Do not ask your instructor to make exceptions to these rules. If you have a verifiable situation that is
beyond your control such as a death in the family, the instructor will of course work with you. Situations of
Page 3 of 10
this nature will be handled on a case by case basis with the final decision up to your instructor. Again,
waiting until the last minute to start working on your homework is not an excuse.
16. USE OF BLACKBOARD FOR HOMEWORK AND READING ASSIGNMENT SUBMISSIONS
There is likely to be additional assignments not specifically listed in the syllabus at this time that you will need to
know about – for example, reading assignments. Although announcements for homework and reading
assignments will be posted to Blackboard and notifications sent out to all students, you should check Blackboard at
least twice during the week, paying attention to the Announcements. It is recommended that you check
Blackboard on Tuesday and Thursday at the very least, paying special attention to the Announcements and
the Assignments and Homework sections – this is your responsibility. Anything posted to Blackboard will be
announced via the Announcements section, and a copy of the announcement sent to your email address as
recorded in Blackboard. MAKE SURE YOUR EMAIL ADDRESS LISTED ON BLACKBOARD IS CORRECT –
THIS IS YOUR RESPONSIBILITY. As well, make sure that any emails from your instructor’s email address are not
blocked or filtered out with your email.
When submitting your homework or reading assignment using Blackboard, do the following:
1. Print and save a copy of your homework as a PDF. There is free software to enable you to do this:
PDF24 Creator - http://en.pdf24.org/
2. Verify that your assignment was accepted and scored. Do not wait until after the assignment was due or until the
end of the quarter. Do this for each assignment after it is submitted.
If there is a dispute concerning an assignment or a problem with Blackboard, you will need to provide the
PDF copy of your assignment.
17. MY EXPECTATIONS FOR CLASS PARTICIPATION
We expect your attendance/participation each week – especially for the compressed schedule that we are on.
Missing a single class will greatly affect what you learn and take away from the compressed class. Grade
performance is a demonstrated function of attendance, preparation and participation. You can get behind very
easily by missing classes, resulting in a poor understanding of the material, which will show up as a poor grade for
the class. If you miss a class for any reason, you will need to talk to other students and obtain the lecture
notes and/or recordings of the lectures. We will be covering information in class that is not in your texts,
and you will be expected to know the information. This is your responsibility. Missing class and / or labs is
not an adequate excuse for turning in material late, making up a quiz or exam, or getting private tutoring from the
instructor. You are expected to be an active participant in each class meeting. Your grade can be positively
affected if you regularly ask questions, share observations, and contribute relevant personal experiences.
NOTE: DUE TO THE NUMBER OF CIS 294 CLASSES FOR THE QUARTER (5), A STUDENT THAT MISSES
TWO CLASSES WILL BE DROPPED FROM THE CLASS AS THIS WOULD BE MISSING 40% OF THE
LECTURES AND LABS.
18. WORKING WITH LAB PARTNERS
You will be working with another student this quarter to complete the hands on assignments and some of the inclass projects. We reserve the right to change your lab partner if we feel it is necessary. You will be expected to
know all of the information covered in the labs. We strongly suggest that you alternate with your lab partner
periodically to maximize your exposure to the hardware and software we will be using.
19. EXTRA CREDIT
Extra credit opportunities will be announced as class progresses. Not doing extra credit work will not adversely
affect your final grade. Any points earned from extra credit work will be applied to your final grade in the homework
category.
20. SCHEDULED TOPICS, HANDS-ON PROJECTS AND LABS
We reserve the right to substitute and modify materials and/or add/substitute labs as class progresses. We have a
lot of information to cover in this course. Hands-on assignments and labs will be announced during class.
If you need additional time or assistance with a particular topic, come in during the posted additional lab times.
Page 4 of 10
21. INCOMPLETES
A grade of “I” or Incomplete is given at the discretion of the instructor and only when the student has done
satisfactory work but could not, for some unavoidable reason, complete some part of the coursework or take the
final examination. This grade will not be awarded if you decide not to come to class, are failing the class due to
poor grades on assignments, or fail to withdraw from class by the end of the seventh week of class (sixth week,
summer quarter).
22. INSTRUCTOR INITIATED WITHDRAWAL
A grade of V is given if an instructor initiates a class withdrawal before the end of the quarter, often in consultation
with the student, but also if a student enrolls in a class, but never attends or stops attending class. A faculty
member is under no obligation to grant an instructor-initiated withdrawal.
23. WITHDRAWAL
A grade of W is given if a student formally requests a withdrawal by the end of the seventh week of class (sixth
week for summer quarter).
24. CELL PHONES
Cell phones are not to be used during class time. If you need to keep your phone on, use the vibrate setting. If
you are waiting on an important call, please sit in the back of the classroom and take your call outside the class.
25. BEING ON TIME
Being late is disruptive to the class. Some class activities are time consuming and must be performed within a
prescribed timeframe. Being late can disrupt the ability of your peers to complete assignments in a timely manner,
and you may miss information passed during lecture. We are all adults, and we expect you to be on time. If you
have a situation that causes you to be consistently late, please discuss this with me.
26. USE OF RECORDING DEVICES IN CLASS
If you are planning on using an audio recording device in class to record me or any other person, obtain approval
first. No video recording.
27. CLASS CONDUCT
We will not tolerate inappropriate conduct in my classroom. We are all adults, and we expect each one of us to
behave like one. The information security and digital forensics classes will be enjoyable, and you will be exposed
to a wealth of information that will help you to achieve your goals. We like to keep the classroom environment
informal but structured. Please observe the following ground rules in my classroom:







All participants are peers - we are here to help each other
Everyone participates – no observers
Only motivational and developmental feedback is allowed - feedback should be honest but helpful
Be open to feedback, don’t get defensive
Think of this class as an opportunity to take risks and explore how we can all achieve our goals
There are no absolutes – it’s O.K. to disagree
Show respect for each other
28. POLICY ON CHEATING
In the "real" world, most projects involve a cooperative effort to complete and are generally worked on by teams
versus a single individual. Cooperative effort includes helping each other to better understand how the tasks can
be accomplished, explanations or discussions of user interfaces, algorithms, theory, concepts, data structures and
style. It can include testing another person's work and offering suggestions for improvement or checking your
results with the results of someone else.
We will not tolerate cheating. Examples of what we consider cheating include (but are not limited to):
 Assignments that are copied in whole or part from another person.
 Assignments/writing that are plagiarized, such as copied verbatim from the web, books, magazine
articles, etc.
 Using any written or electronic materials to assist you in taking the final, unless otherwise authorized to
do so.
 Asking another student for answers.
 Working on an assignment with another student and submitting the same work.
Page 5 of 10
Consequences of cheating include but are not limited to:
 Failing the course.
 Failing a particular assignment for all parties involved in cheating.
 Going on academic probation.
If you cheat and/or are dishonest, you will not be eligible for internships, taking the CSFA test, giving
presentations to the Washington State HTCIA, or any extracurricular activities that we schedule to give my
students work experience. Also, you will not be able to use me as a reference.
29. GENERAL TOPICS MAILING LIST
Steve Hailey maintains a mailing list of current and former students, and periodically send out emails on such topics
as information security and computer forensics issues, classes we are giving, and students that have obtained
certifications to name a few. Participation is voluntary, and we do not disclose your email to other sources.
Occasionally we have students assist me in performing information security and computer forensics work in relation
to my business – CyberSecurity Institute. This gives students an opportunity to put their skills to use in the real
world, as well helping to enhance their resume. Information on these opportunities is passed via the mailing list. If
you want to participate, send an email to infosec-subscribe@stevesmailinglists.com. You must subscribe to the list;
we cannot do this for you. Participation is voluntary, and you can unsubscribe at any time you choose.
30. LINKEDIN
If you are member of Linkedin, you are invited to join the following groups if appropriate for the course you are
enrolled in:
EdCC Digital Forensics Program (students enrolled in any digital forensics course)
http://www.linkedin.com/groups?gid=124364
EdCC Information Security Program (students enrolled in any information security course)
http://www.linkedin.com/groups?gid=124365
Study Group for the CyberSecurity Forensic Analyst (CSFA) (students planning to take the CSFA)
http://www.linkedin.com/groups?gid=127384
CyberSecurity Institute Clients and Alumni (all students are invited to join)
http://www.linkedin.com/groups?gid=123760
Digital Forensics Training (all students are invited to join)
http://www.linkedin.com/groups?gid=153874
31. EMERGENCY SCHOOL CLOSURE
In case of an emergency closure, please access the following web site for information: http://www.schoolreport.org/
and or call this phone number: 425-640-1459.
32. ONLINE, COMPRESSED, HYBRID, AND BLACKBOARD-ENHANCED CLASSES
Successful completion of student responsibilities in this class requires access to Blackboard via an Internet
browser. Information available via Blackboard will be announced via an email to the class distribution list – it is
your responsibility to assure that you have a current and valid email address registered. Instructions for access to
BlackBoard may be located online at the following address: http://online.edcc.edu/study/Bb_login.html
You are expected to check blackboard at least twice a week for assignments and information. New material
uploaded to blackboard will be announced via the student mailing list.
Toll-free technical support (24/7 service) at supportcenteronline.com/ics/support/default.asp?deptid=746
33. DISABILITY STATEMENT
If you require an accommodation for a disability, please contact Services for Students with Disabilities, WDY 114,
(425) 640-1320 or ssdmail@edcc.edu.
Page 6 of 10
34. SNOHOMISH 123 INFORMATION SECURITY AND DIGITAL FORENSICS APPLIED TECHNOLOGY LAB
The classroom for all information security and digital forensic classes is now Snohomish 123 – this classroom is
owned by CIS (Computer Information Systems). When using the classroom and all equipment, you are expected to
follow the same guidelines that have been posted by Academic Computer Services – please see:
http://www.edcc.edu/acs/Policies.php
As well, please be aware of the following additions for our classroom:
DESKS: The desks in our classroom are all equipped with a monitor that disappears into the desktop. Unless
otherwise instructed, these are to be left up. If the monitors are to be put down, exercise care in doing so – do not
force the monitors. If you believe there is an obstruction that is preventing the monitor from being put down
smoothly, please let the instructor know.
PRINTER: We have our own printer in the classroom that does not require use of your EdPass to print. Printing
should be limited to that needed for your information security and digital forensic classes – do not use the printer for
volume printing or printing related to coursework for non-information security and digital forensic classes.
CLEAN ROOM EQUIPMENT: The clean room equipment in the rear of the classroom is to be operated only by
students that have been certified in its use by an instructor or lab assistant.
35. EVALUATION
The table below shows the criteria and weighting used to arrive at your final grade.
Description
Homework/Quizzes
Class Participation and Hands-On Labs
Final Exam
Total Percentage
% of
Total
60
20
20
100
36. EXPLANATION OF GRADING
 Homework/Quizzes: All individual work will be totaled up, averaged, and weighted at 60% of your total grade.
Not turning in an assignment will result in a grade of zero for the assignment.
 Class Participation: We will assign you a discretionary score between 0 and 100 based on your overall
participation in class discussions and in-class assignments/labs, and how we feel you are doing overall in class.
This score will be weighted as 20% of your total grade. You need to actively participate in class and ask
questions regarding topics you are having problems with, need clarification on, or do not understand.
 Final Exam: The Final Exam will be weighted as 20% of your total grade.
37. GRADING TABLE
Grade Points /Percentages
Letter Grades
4.0=95% 2.9=84% 1.8=73%
A = 4.0 - 3.9
3.9=94% 2.8=83% 1.7=72%
A- = 3.8 - 3.5
3.8=93% 2.7=82% 1.6=71%
B+ = 3.4 - 3.2
3.7=92% 2.6=81% 1.5=70%
B = 3.1 - 2.9
3.6=91% 2.5=80% 1.4=69%
B- = 2.8 - 2.5
3.5=90% 2.4=79% 1.4=68%
C+ = 2.4 - 2.2
3.4=89% 2.3=78% 1.4=67%
C = 2.1 - 1.9
3.3=88% 2.2=77% 1.3=66%
C- = 1.8 - 1.5
3.2=87% 2.1=76% 1.2=65%
D+ = 1.4 - 1.2
3.1=86% 2.0=75% 1.1=64%
D = 1.1 - 0.9
3.0=85% 1.9=74% 1.0=63%
D- = 0.8 - 0.7
Page 7 of 10
38. ABOUT YOUR GRADES
You are being graded on the quality of your work (from an employer’s point of view), not on your effort. The
following describes my expectations for each grade:
4.0 = Exemplary work. Consistently produced perfect or near-perfect quality on all assignments, labs, and the final
exam and is an active participant in the class. We would be proud to show off this work to other instructors or
employers or write a recommendation letter for students receiving a 4.0 grade in this course.
3.5 – 3.9 = Excellent Work. Most assignments were perfect or near perfect, but perhaps could have been a little
more polished to be exemplary. May have missed some points due to late submissions, low final score,
attendance, etc.
3.0 – 3.4 = Above Average Work. Most work was very good, but the quality was not consistent, or needed more
work in order to be excellent. Met all of the objectives of the class, and demonstrated a solid understanding of the
material. May have missed some points due to late submissions, low final score, attendance, etc.
2.0 – 2.9 = Average Work. Met all of the objectives of the class, but no more. Demonstrated understanding of
most of the material, but may have missed some important concepts. Missed some points due to excessive
absences, late or missing assignments, low final score, etc.
Below 2.0 = Below Average Work. Did not meet expectations or objectives of the class. Did not demonstrate
understanding of the material or missed a significant amount of points due to excessive absences, late or missing
assignments, low final score, etc.
39. OVERALL COURSE OBJECTIVES
While achieving the course objectives below, you will be applying and developing the basic education requirements
shown in brackets:

Recover data from a variety of computer media. [REASON]

Appropriately use data recovery tools and equipment such as: write blockers, micro-tweezers, dental picks,
anti-static gloves and finger cots. [REASON]

Setup and utilize a data recovery workstation with associated drive connectors and BIOS bypass tools.
[REASON]

Describe the processes used for logical and physical recovery of disabled hard drives. [REASON]

Swap single and multiple hard drive platters. [REASON]

Replace a hard drive head assembly. [REASON]

Describe the processes used to facilitate RAID 0 and RAID 5 recovery. [COMMUNICATE]

List and describe the environmental and technical requirements for operating clean room equipment to
facilitate the recovery of data from various media. [COMMUNICATE]

Work as a team to analyze, design and implement a data recovery project. [REASON]
Page 8 of 10
SCHEDULE
CLASS MEETING:
MAY 11, 2013 (DAY 1)
TOPICS/CLASS MATERIAL:
1. Introductions
2. Why study Advanced Data Recovery (ADR)?
3. Syllabus Review/How the course will be run
4. Connecting what you learned in Digital Forensics to what you will learn here in Advanced Data Recovery
5. An overview of data recovery for Digital Forensic Examiners
6. Magnetism I
7. Demo/Lab: Your ADR toolkit
8. Demo/Lab: The anatomy of a hard disk drive
ASSIGNMENTS: HOMEWORK #1 will be made available. Due by the start of class, May 18 2013.
LEARNING OBJECTIVES
1. Describe how digital forensics and data recovery relate to each other
2. Define the difference between the read and write heads
3. Describe how data is coded before it is written
4. Understand the origins and properties of magnetism
5. Describe the purpose of physical recovery tools
6. Describe the anatomy of the hard drive
7. Define the purpose of the DeepSpar Disk Imager
8. Define the purpose of the PC-3000
CLASS MEETING:
MAY 18, 2013 (DAY 2)
TOPICS/CLASS MATERIAL:
1. Review; Questions; Announcements
2. The stages of data recovery
3. Hard drive firmware
4. Review of:
a. Byte ordering (i.e. big and little endian)
b. Binary and hexadecimal notation
c. Conversion of hexadecimal to decimal
d. Review of logarithms
5. SMART
a. What it is; What it’s good for
b. How to interpret it
6. Head Stack Assembly (HSA): removal and replacement
ASSIGNMENTS: HOMEWORK #1 due at the beginning of class.
HOMEWORK #2 will be made available. Due by the start of class, May 25 2013.
LEARNING OBJECTIVES
1. Define the two types of data recovery
2. Describe the data recovery process
3. Define what takes place during the power on routine for a hard drive
4. List components of hard drive firmware
5. Describe the purpose of the SMART system
6. Define the function of P-Lists and G-Lists
7. Describe the purpose of the DeepSpar Disk Imager
8. Describe the various physical recovery tools available.
Page 9 of 10
CLASS MEETING:
MAY 25, 2013 (DAY 3)
TOPICS/CLASS MATERIAL:
1. Review; Questions; Announcements
2. PCB in depth
3. Filesystem structure
4. Logical recovery
5. Sector structure
6. Magnetism II
7. Platter Removal
ASSIGNMENTS: HOMEWORK #2 due at the beginning of class.
HOMEWORK #3 will be made available. Due by the start of class, June 8 2013.
LEARNING OBJECTIVES
1. TBD
CLASS MEETING:
JUNE 1, 2013 (DAY 4)
TOPICS/CLASS MATERIAL:
1. Review; Questions; Announcements
2. Electrostatic Discharge (ESD) – Nature and prevention
3. Software tools
4. Head-Platter Interface
5. Recovery with a head turned off
6. Recovery using an alternate FAT
7. Implications of basing a forensic analysis on recovered data
ASSIGNMENTS: IN CLASS QUIZ – OPEN BOOK OPEN NOTES
LEARNING OBJECTIVES
1.TBD
CLASS MEETING:
JUNE 8, 2013 (DAY 5)
TOPICS/CLASS MATERIAL:
1. Review; Questions; Announcements
2. Timeline Construction
3. RAID recovery
4. Cell Phone Forensics
ASSIGNMENTS: HOMEWORK #3 due at the beginning of class.
ON-LINE FINAL EXAM DUE 10:00 PM JUNE 12 2013.
LEARNING OBJECTIVES
TBD
Page 10 of 10