30h Th, 12h Labo., 30h Proj.
Nombre de crédits
Langue(s) de l'unité d'enseignement
Organisation et évaluation
Enseignement au deuxième quadrimestre
Unités d'enseignement prérequises et corequises
Les unités prérequises ou corequises sont présentées au sein de chaque programme
Contenus de l'unité d'enseignement
On one hand, a Digital evidence refers to any probative information stored or transmitted in digital form that a party to a court case may use at trial (e.g., emails, digital photos, ATM transaction logs, databases backups, ...). On the other hand, digital forensics is a branch of forensic science concerned with the proper acquisition, preservation, and analysis of digital evidence, typically after an unauthorized access or use has taken place. Digital forensics follows the goal to explain the current state of a digital artifact.
This course aims at providing a first look at digital forensics, in particular focusing on network forensics (i.e., monitoring and analyzing network traffic), computer data forensics (i.e., flash, HDD, USB device), and mobile devices forensics (i.e., collect digital evidence from mobile devices).
Table of Content:
Part 0: Administrative Details (B. Donnet)
Part 1: Digital Forensics Methodology (B. Donnet)
- Chap. 1: Generalities
- Chap. 2: Sources of Evidences
- Chap. 3: Evidence Acquisition
- Chap. 1: Deep Web
- Chap. 2: Email Forensics
- Chap. 3: Traffic and Packet Analysis
- Chap. 4: Wireless and Mobile Network Investigation
- Chap. 1: File System Forensics
- Chap. 2: FAT File System
Acquis d'apprentissage (objectifs d'apprentissage) de l'unité d'enseignement
Upon completing this course, students are expected to:
- understand the basics of computer data and network forensics
- acquire hands-on practice on digital forensics investigation
- be prepared for active research at the forefront of this area.
VI.1, VII.1, VII.6 du programme d'ingénieur civil en informatique.
Savoirs et compétences prérequis
Students are supposed to have a good knowledge of basic Computer Networking (INFO0010 or assimilated) and of basic Operating Systems (INFO0940 or assimilated).
It is not required to have any knowledge in Computer Security
Activités d'apprentissage prévues et méthodes d'enseignement
The course is organized as follows
- Lectures (30hours) describing in details the theoretical and practical aspects of the course
- Lab sessions (10h) to be done individually. Each lab ends with a small report to complete (a simple text file to fill in with answers or pieces of code).
Mode d'enseignement (présentiel, à distance, hybride)
If possible, face-to-face lectures will be organized, in addition to lab sessions and assignments (carried out remotely).
According the CoVID19 pandemia evolution, it is still possible that the course will be reorganized remotely (WebEx/Collaborate virtual classes, podcast, ...)
The course is entirely given in English.
Lectures recommandées ou obligatoires et notes de cours
Slides, as well as assignments and labs subjects, are available on the course Web Site.
The course has been built based on those books:
- E. Casey. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. 3rd Edition, Academic Press. May 2011.
- R. C. Neuman. Computer Forensics: Evidence Collection and Preservation. EC Council Press. 2010.
- S. Davidoff, J. Ham. Network Forensics: Tracking Hackers Through Cyberspace. Prentice Hall. May 2012.
- M. Robinson. Digital Forensics Workbook: Hands-on Activities in Digital Forensics. WorkBook Edition. October 2015.
- B. Carrier. File System Forensic Analysis. Ed. Addison-Wesley. 2005.
- N. A. Mikus. An Analysis of Disc Carving Techniques. MS Thesis. Naval Postgraduate School. 2006. See https://calhoun.nps.edu/bitstream/handle/10945/2219/05Mar_Mikus.pdf?sequence=1
- D. Farmer, W. Venema. Forensic Discovery. Ed. Pearson Education. 2009. Chapter 5.
- A. Hoog. Android Forensics: Investigation, Analysis, and Mobile Security for Google Android. Ed. Syngpress. June 2011.
- M. K. Bergman. The Deep Web: Surfacing Hidden Value. White Paper.
- T. V. Lillard, C. P. Garrison, C. A. Schiller, J. Steele. Digital Forensics for Network, Internet, and Cloud Computing. Ed. Elsevier. 2010
Modalités d'évaluation et critères
Examen(s) en session
Toutes sessions confondues
- En présentiel
The evaluation is twofold:
- Labs are evaluated (a simple text file to fill in during/right after the lab with students' answers). They account for 40% of the final grade.
- The oral exam (on the theoretical part of the course) accounts for 60% of the final grade. Note that the oral exam will require the student to answer to only one question (based either on material reviewed by L. Mathy, or by B. Donnet).
In case of failure in June, if the grade of the labs is favorable to the students, the resit session is identical to the first one, with the same weighting. On the other hand, if the grade of the labs is not favorable to the student, it will not be taken into account in the weighting in September. Oral exam must be redone.
As the course is given every two years, in case of (definitive) failure, the student will have to do the oral exam the following year.
The course is proposed every 2 years (given during Academic Year 2022-2023).
The course is given during the second semester
- Benoit Donnet (email -- office 1.87b/B28)
- Laurent Mathy (email -- office 1.15/B37)
- Gaulthier Gain
Association d'un ou plusieurs MOOCs
Notes en ligne
Course Web Site
The course web site contains PDF of the slides, labs/assignments subjects, details about gradings, and the course agenda. It also allows students to interact with the Pedagogical Team through the Discussion forum.