32309 Digital Forensics
Warning: The information on this page is indicative. The subject outline for a
particular session, location and mode of offering is the authoritative source
of all information about the subject for that offering. Required texts, recommended texts and references in particular are likely to change. Students will be provided with a subject outline once they enrol in the subject.
Subject handbook information prior to 2025 is available in the Archives.
Credit points: 6 cp
Subject level:
Postgraduate
Result type: Grade and marksRequisite(s): 32548 Cybersecurity
These requisites may not apply to students in certain courses.
There are course requisites for this subject. See access conditions.
Anti-requisite(s): 48436 Digital Forensics
Recommended studies:
Confident with using Windows command line utilities such as netstat, nslookup, net and ipconfig. Also confident with Linux command line tools such as grep, ls, uname and ps.
Description
This is a practice-based subject, using material based on the textbooks. Learning is laboratory-based.
Students assess if a crime has been committed, acquire digital evidence, analyse the evidence and prepare forensic reports.
The emphasis is on digital forensics applications, in particular:
- forensic analysis of a digital storage device where evidence of visits to web sites is recovered to support or oppose a hypothesis before a criminal court
- eDiscovery (a form of discovery related to civil litigation) where students acquire evidence of contact with a third party using email or social media
- intrusion investigation into the nature and extent of an unauthorised network intrusion. Students look for evidence of malware being installed on the device that may use the network to exfiltrate data to an unauthorised person.
Subject learning objectives (SLOs)
Upon successful completion of this subject students should be able to:
| 1. | Evaluate theories of digital forensics. (D.1) |
|---|---|
| 2. | Understand the structure of forensic evidence. (D.1) |
| 3. | Implement forensically sound digital security practices in industry. (B.1, C.1) |
| 4. | Demonstrate competence in applying industry-standard forensic analysis techniques. (D.1) |
Course intended learning outcomes (CILOs)
This subject also contributes specifically to the development of the following Course Intended Learning Outcomes (CILOs):
- Socially Responsible: FEIT graduates identify, engage, and influence stakeholders, and apply expert judgment establishing and managing constraints, conflicts and uncertainties within a hazards and risk framework to define system requirements and interactivity. (B.1)
- Design Oriented: FEIT graduates apply problem solving, design thinking and decision-making methodologies in new contexts or to novel problems, to explore, test, analyse and synthesise complex ideas, theories or concepts. (C.1)
- Technically Proficient: FEIT graduates apply theoretical, conceptual, software and physical tools and advanced discipline knowledge to research, evaluate and predict future performance of systems characterised by complexity. (D.1)
Contribution to the development of graduate attributes
Engineers Australia Stage 1 Competencies
This subject contributes to the development of the following Engineers Australia Stage 1 Competencies:
- 1.3. In-depth understanding of specialist bodies of knowledge within the engineering discipline.
- 1.4. Discernment of knowledge development and research directions within the engineering discipline.
- 1.6. Understanding of the scope, principles, norms, accountabilities and bounds of sustainable engineering practice in the specific discipline.
- 2.1. Application of established engineering methods to complex engineering problem solving.
- 2.2. Fluent application of engineering techniques, tools and resources.
- 3.1. Ethical conduct and professional accountability.
Teaching and learning strategies
This subject is a hands-on, career-oriented solution that emphasises practical experience. It is a blended curriculum with both case study research and learning.
Students attend classes 3 hours a week. The lecture material is available online. Students are required to study this material in their own time before the class. There is a lecture and discussion of the topics in class, The remainder of the time in the class is devoted to practical labs.
Content (topics)
This subject aims to develop an in-depth understanding of digital forensics principles as well as the tools and configurations available.
The following topics are covered:
- The Legal Process in forensic investigation. Digital Evidence. Australian Privacy Principles
- Duties of First Responders
- Data Acquisition from Hard Disks and Networks
- Disk file systems including FAT32 and NTFS
- Windows Registry analysis
- Linux Artifacts of forensic interest
- Metadata in Graphics, Documents and Camera images
The following tools are covered:
- Protocol sniffers/analysers
- TCP/IP utilities
- Windows Internals utilities
- Hard Disk (HDD) utilities
- Web-based resources
The predominant lab types are procedural, skills integration challenges, troubleshooting, and model building.
Upon completion of the subject, students are able to perform the following tasks:
- describe the security threats facing modern network infrastructures
- secure network device access
- implement forensic analysis on network devices
- implement forensic analysis on hard disk devices
- administer effective security policies
- collect forensics material for specialist analysis
Assessment
Assessment task 1: Quiz
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1 and 4 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): D.1 |
|---|---|
| Type: | Quiz/test |
| Groupwork: | Individual |
| Weight: | 10% |
Assessment task 2: Case Study
| Intent: | Case Studies are designed for students to practice their skills their skill in locating digital forensic evidence in supplied logs and traces in a real world environment. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 2, 3 and 4 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): B.1, C.1 and D.1 |
| Type: | Case study |
| Groupwork: | Group, group and individually assessed |
| Weight: | 40% |
Assessment task 3: Skills tests
| Intent: | Skills Based Assessments (SBAs) are designed for students to demonstrate their skill in locating forensic evidence on a digital device. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1, 3 and 4 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): B.1, C.1 and D.1 |
| Type: | Demonstration |
| Groupwork: | Individual |
| Weight: | 30% |
Assessment task 4: Weekly Skills Test
| Intent: | For students to demonstrate mastery of weekly lab concepts. |
|---|---|
| Objective(s): | This assessment task addresses the following subject learning objectives (SLOs): 1, 3 and 4 This assessment task contributes to the development of the following Course Intended Learning Outcomes (CILOs): B.1, C.1 and D.1 |
| Type: | Laboratory/practical |
| Groupwork: | Group, individually assessed |
| Weight: | 20% |
Minimum requirements
In order to pass the subject, a student must achieve an overall mark of 50% or more.
Required texts
Refer to Readings in UTS Canvas.
Recommended texts
Nelson, Phillips, Steuart, Guide to Computer Forensics and Investigations, Sixth Edition, Cengage Learning 2019, ISBN:978-1-337-56894-4
References
Jones, Bejtlich and Rose, Real Digital Forensics, Addison-Wesley, 2009 (7th printing) , ISBN 0-321-24069-3
Carrier, Brian, File System Forensic Analysis, Addison-Wesley, 2007 (5th printing) , ISBN 0-321-26817-2
Casey, Eoghan, Digital Evidence and Computer Crime, Elsevier, Academic Press, Third Edition c 2011 ISBN-10: 0123742684