ISYS 565: Digital Forensics Winter Semester 2011

Winter Semester 2011

Section 1: W328 TNRB on M W at 02:00 pm - 03:15 pm

Instructor Information

Instructor: Anthony Vance, PhDOffice: 779 TNRBOffice Hours: M 10a-12p

Office Hours:

W 1:30p-3:30p

Office Hours:

F 1p-3pOffice Phone: 801-361-2531Email: anthony.vance@byu.eduWebsite Address:

Course Information

Classroom Procedures

Classroom sessions will explore the same topics as the readings assignments, and seek further depth through discovery learning. It is essential that students read the assigned material before coming to class. Instruction will follow these three approaches: (1) topic discussion of course concepts, (2) interaction with professional experts that will allow students to contextualize computer forensics concepts in actual business settings, and (3) in-class lab activities that apply these concepts to simulated computer forensics investigative situations.

Grading Policies

Per Marriott School policy, the grade point target for this course will be 3.5.

Learning Outcomes

  • Aquire Digital Evidence

    Acquire digital evidence in a forensically sound manner.

  • Evaluate Organizational Policies

    Evaluate whether organizational policies are sufficient to support forensics investigations, e-discovery, and incident response.

  • Analyze Forensics Artifacts

    Analyze forensics artifacts to determine evidentiary value.

  • Prepare Forensics Report

    Prepare a forensics report for relevant stakeholders and defend your findings.

  • Acquire digital evidence in a forensically sound manner.

  • Analyze forensics artifacts to determine evidentiary value.

  • Prepare a forensics report for relevant stakeholders and defend your findings.

  • Evaluate whether organizational policies are sufficient to support forensics investigations, e-discovery, and incident response.


This class includes two midterm exams, both non-cumulative. Midterm 1 is the AccessData ACE certification which will be taken outside of class. Your score on the certification will be your score for Midterm 1.


Midterm 2 will be administered in-class and will cover material taught since Midterm 1, as well as all assigned readings.


Instead of a final exam, a final project will be given which will be completed in teams of three or four. The final project consists of (1) a forensics report of a hard drive, and (2) a forensics tournament in which teams defend their reports against the challenges of other teams, and vice versa.


There are ten labs in the class. Each lab is due approximately one week after the lab was given in-class. All labs are to be submitted via email to teaching assistant Paul Brems at

Forensics files

You can access downloadable files to be used in class here:

Course Reserve

Click here to access the course reserve page for this class.


Point Breakdown

Forensics Case Report20
Forensics Case Tournament15
Midterm 120
Midterm 220
Readings Quizzes5
Total Points100

Library Information

Librarian Information

Name: Leticia Camacho

Office: 1211 HBLL

Phone Number: 422-1970


Reference Desk Information

Name: Business, Mgmt, Economics

Phone Number: 422-2802


Hours: M-Th : 8am-9pm; F: 8am-6pm; Sat: 10am-6pm

University Policies

BYU Honor Code

In keeping with the principles of the BYU Honor Code, students are expected to be honest in all of their academic work. Academic honesty means, most fundamentally, that any work you present as your own must in fact be your own work and not that of another. Violations of this principle may result in a failing grade in the course and additional disciplinary action by the university. Students are also expected to adhere to the Dress and Grooming Standards. Adherence demonstrates respect for yourself and others and ensures an effective learning and working environment. It is the university's expectation, and my own expectation in class, that each student will abide by all Honor Code standards. Please call the Honor Code Office at 422-2847 if you have questions about those standards.

Preventing Sexual Discrimination and Harassment

Title IX of the Education Amendments of 1972 prohibits sex discrimination against any participant in an educational program or activity that receives federal funds. The act is intended to eliminate sex discrimination in education. Title IX covers discrimination in programs, admissions, activities, and student-to-student sexual harassment. BYU's policy against sexual harassment extends not only to employees of the university, but to students as well. If you encounter unlawful sexual harassment or gender-based discrimination, please talk to your professor; contact the Equal Employment Office at 422-5895 or 367-5689 (24-hours); or contact the Honor Code Office at 422-2847.

Students with Disabilities

Brigham Young University is committed to providing a working and learning atmosphere that reasonably accommodates qualified persons with disabilities. If you have any disability which may impair your ability to complete this course successfully, please contact the Services for Students with Disabilities Office (422-2767). Reasonable academic accommodations are reviewed for all students who have qualified, documented disabilities. Services are coordinated with the student and instructor by the SSD Office. If you need assistance or if you feel you have been unlawfully discriminated against on the basis of disability, you may seek resolution through established grievance policy and procedures by contacting the Equal Employment Office at 422-5895, D-285 ASB.

Marriott School Classroom Policies

See for Marriott School classroom policies.


Course Schedule

Date ExportTopics ExportActivities ExportAssignments Due Export

W - Jan 5

Introduction to Digital Forensics


M - Jan 10

Guest presenter: Trevor O'Donnal, Network Security Analyst, OIT Production Services

Casey Foreward, Chapter 1: Introduction

Readings quiz, Casey: Forward, Chapter 1

W - Jan 12

Introduction to FTK

ACE Video: Module #2 — FTK (Part 1)

In class: FTK tutorial


M - Jan 17

Martin Luther King Jr.No class-

W - Jan 19

FTK Report Writing

ACE Video: Module #3 — FTK (Part 2)

In class: FTK report tutorial

Casey, Chapter 2

Readings quiz, Casey: Chapter 2

M - Jan 24

Binary, hexadecimal, magic numbers, and data carving

In class: Lab 2: Magic Numbers

Lab 1: FTK report tutorial

W - Jan 26

Hardware basics

In class: Hardware disassembly

Bunting: "Computer Hardware" (course e-reserve).

Quiz, Bunting: "Computer Hardware".

M - Jan 31

File systems

Bunting, "File Systems" (course e-reserve)

Casey, pp. 209-234, "Windows Forensic Analysis"

Quiz, Bunting: "File Systems" (course e-reserve)

Lab 2: Magic Numbers

Readings quiz, Casey: pp. 209-234, "Windows Forensic Analysis"

W - Feb 2

Data acquisitions

ACE Video: Module #1 — Overview and Imager

In class: Lab 3: Imaging

AccessData Module 2: Working with FTK Imager


M - Feb 7

Regular expressions; indexed searching

In class: Lab 4: Regular expressions

Regular Expression Guide:​a/en_us/print/techdocs/Web_reg​exp.pdf

Sample regular expressions:​expressions

Skim: Perl syntax as implemented by FTK:​1_45_0/libs/regex/doc/html/boo​st_regex/syntax/​ml

Regular expression tester:

Lab 3: Imaging

W - Feb 9

Windows Registry

Mark Stringer, Manager, Certification, AccessData

Windows Registry

Carvey, Registry Analysis, pp.157-252. (Course e-reserve)

ACE Video: Module #4 — Registry Viewer

ACE Video: Module #6 — Utility Integration and KBA Sample Questions

Readings quiz, Carvey: Registry Analysis pp.157-252

M - Feb 14

Password Cracking

Schneier, Real-world Passwords.​rchives/2006/12/realworld_pass​w.html

Schneier, Choosing Secure Passwords.​rchives/2007/01/choosing_secur​e.html

Lab 4: Regular Expressions

Readings quiz, Schneier: Real-world passwords, Choosing secure passwords

W - Feb 16

Password Cracking Continued

ACE Video: Module #5 — PRTK

Password Recovery with PRTKTM/DNA.​a/en_us/print/papers/wp.PRTK-D​NA_Password_Recovery.en_us.pdf

In class: Lab 5: Password Cracking


M - Feb 21

Presidents DayNo class-

T - Feb 22

Dan Hooper, Chief Investigator, Intermountain West Regional Computer Forensics Laboratory, Utah Department of Public Safety

Deadline to complete the ACE midterm


W - Feb 23


Casey, pp. 63-105

Readings quiz, Casey: pp. 63-105

M - Feb 28

Hard drive encryption and data destruction


Wright et al. 2008. "Overwriting Hard Drive Data: The Great Wiping Controversy." (Course reserve)

Hughes et al. 2009. "disposal of disk and Tape data by Secure Sanitization." (Course reserve)

Lab 5: Password Cracking

W - Mar 2

David Mortensen, Partner

Stoel Rives LLP

Casey, pp. 106-132

Readings quiz, Casey: pp. 106-132

M - Mar 7

Amber Schroader, CEO, Paraben Corporation


W - Mar 9

Incident response

Casey, pp. 135-175

Lab 6: e-Discovery Data Reduction

Readings quiz, Casey: 135-175

M - Mar 14

Chad Tilbury, Consultant, eDNA Forensics; Instructor, SANS

Casey, pp. 175-206

Readings quiz, Casey: pp. 175-206

W - Mar 16

Live Analysis

Lab 8: RollingCat Part 1

Lab 7: Live Analysis

Anson, Live-Analysis Techniques (course reserve)

Lab 6: e-Discovery Data Reduction

M - Mar 21

Windows Artifacts

Casey pp. 235-263, 273-286

Lab 9: Windows Artifacts

Readings quiz, Casey: pp. 235-263, 273-286

W - Mar 23

Lee Whitfield, owner,Forensic 4cast; computer forensic supervisor, Disklabs

Casey, pp. 263-268

Lab 9: RollingCat Part 2

In class: Lab 6: Windows Artifacts

Lab 8: RollingCat Part 1

Readings quiz, Casey: pp. 263-268

M - Mar 28

Joseph Sanchez, H11 Digital Forensics

Lab 10: RollingCat Part 3

Proisse et al. 2003. Chapter 17: "Writing Computer Forensics Reports," pp. 435-456. (Course reserve).

Lab 9: Windows Artifacts

Lab 10: RollingCat Case Part 2

Readings quiz, Proisse.

W - Mar 30

Midterm 2


M - Apr 4

Forensic Awareness in Organizations


W - Apr 6

Final Project work day


Sa - Apr 9

Forensics Report Due


Forensics Report Due

M - Apr 11

Forensics Team Tournament, Part 1


W - Apr 13

Forensics Team Tournament, Part 2

Course Review