CIS 4930/5930: Applied Cyber Forensics

Department of Computer Science

Florida State University

Spring 2017


0x00: Course Summary

               This course will familiarize students with the technical aspects of Windows host forensics. Students will learn how to use open source tools to make images; capture volatile data; perform file system, network traffic, memory, and disk image analysis; defeat simple anti-forensics techniques, use open source information to aid their investigations, and write professional reports on their findings.


0x01: Course Logistics



Instructors: Xiuwen Liu (pronounced as Shu-wen Lea-l), Douglas Hennenfent, and Shawn Stone

Email:, (Douglas Hennenfent,), and (Shawn Stone)

Home page:

Office:  Xiuwen Liu: 166 Love Building (LOV);     Phone: (850) 644-0050

               Douglas Hennenfent and Shawn Stone: 010 Love

Office hours: 

   Xiuwen Liu: Monday and Wednesday, 10:10am-11:30am

   Douglas Hennenfent: TBD

                  Shawn Stone: TBD

Course website:

Slides, assignments, and handouts will be available from


0x02: Course Time and Location

Tues/Thurs, 1100-1215, Love Building room 151.



0x03: Prerequisites and Corequisites
Prerequisite: CDA 3100 – Computer Organization I

Corequisite: COP 4530 - Data Structures, Algorithms, and Generic Programming


Success in this course will require familiarity with the linux command line, an ability to work with and manipulate hexadecimal values, capability to independently research novel concepts, and strong written communication skills.


0x04: Grading Policy
Grades will be determined as follows:






Class Attendance & Participation

10 %

Final Project

25 %

Homework Assignments

35 %

Term Project

20 %

 Grad Project*




*For undergrads, the 10% grad project will be added to the homework assignments category.


Grading will be based on the weighted average as specified above and the following scale will be used (S is the weighted average on a 100-point scale):








93 <= S


80 <= S < 83


67 <= S < 70


90 <= S < 93


77 <= S < 80


63 <= S < 67


87 <= S < 90


73 <= S < 77


60 <= S < 63


83 <= S < 87


70 <= S < 73


S < 60


0x05: Late Penalties
Assignments are due at the beginning of the class on the due date. Assignments turned in late, but before the beginning of the next scheduled class will be penalized by 10 %. Assignments that are more than one class period late will NOT be accepted.

0x06: Submission and Return Policy
All tests/assignments/projects/homework will be returned as soon as possible after grading.

0x07: Assignments and Assignment Submission Policies:

Homework assignments (most of them involve solving forensics problems) will be given along with the lectures. These assignments need to be done individually and turned in along with a written report. There will be a term project, where a team must complete forensic analysis on several disk images. There will be an individual forensic analysis project during the last week of class and finals week.


Forensic analysts can expect to continually encounter systems, environments, and artifacts with which they are not familiar. The ability to address novel situations with research and experimentation is an essential skill. Given the sheer scope of detailed technical knowledge required it is possible that at some point you may ask a question that the instructors would have to further research. In such situations any student willing to research and write a short report answering the question may earn additional points towards their class participation grade.


If you are taking the course at the graduate level [5930] you will be expected to complete a project demonstrating initiative and outside learning commensurate with your education and experience as a graduate student. Possible projects include implementing, re-implementing, or extending an open source forensics tool; researching and demonstrating a forensics topic or technique not covered in the scope of this course; or developing or extending an anti-forensics tool. You will present your project during the last week of class. All projects must have a written proposal approved by the instructors. If you wish to do a project outside of the above suggestions you may work with the instructors to develop an acceptable proposal for your idea. You may work with a partner. If you choose to work with a partner the project should be appropriate in scope and challenge compared to an individual project.

0x08: Student Responsibilities

Attendance is required for this class. Unless you obtain prior consent of the instructors, missing classes will be used as a basis for attendance grading. Excused absences include documented illness, deaths in the family and other documented crises, call to active military duty or jury duty, religious holy days, and official University activities. These absences will be accommodated in a way that does not arbitrarily penalize students who have a valid excuse. Consideration will also be given to students whose dependent children experience serious illness. In case that it is necessary to skip a class, students are responsible to make up missed materials. Participation in in-class discussions and activities is also required.


All submitted assignments and projects must be done by the author(s). It is a violation of the Academic Honor Code to submit other’s work and the instructor of this course takes the violations very seriously.


This course will at times cover certain techniques to exploit and break down known systems in order to demonstrate their vulnerabilities. It is illegal, however, to practice these techniques on others' systems without the owner’s explicit consent.


 0x09: Textbooks, Computer Requirements

This course has no assigned textbook. A useful but not required reference is Digital Forensics with Open Source Tools by Altheide and Carvey.


Most assignments in this course will require a computer capable of running a hypervisor. It may be the case that your personal computer cannot run the necessary software. A few machines will be available in the Lov 016 lab for use by students in this course to complete their assignments. If you choose to use the shared machines, please be aware that some assignments may require lengthy processing time. It is best to start early to ensure that you have adequate time available on the shared machines.


0x0A: Rationale & Detailed description for Course

               Cybersecurity is a rapidly growing career field with many opportunities in the public and private sectors. A forensic analyst is a cybersecurity professional specializing in retrieving data from computer systems and determining what transpired on that system.


               In this course you will conduct several forensic investigation of Windows systems from media capture to final reporting. The focus will be on Windows system internals from Vista onward and the NTFS file system as this is a very common configuration for analysts to encounter. While the focus of this course is on the technical side of an analyst’s responsibilities, you will be expected to produce forensics reports on all homework assignments and projects. These reports must be written at a level suitable for use in a court of law. As such this course will be significantly more writing intensive than a typical Computer Science course.


               This course focuses on host forensics. A complete analysis requires an ability to understand a computer’s network traffic and the operations of any malware found on the system. However this is not a networking course nor a reverse engineering course. While helpful, neither are necessary to understand the material for this course. As you continue your cybersecurity studies both will be covered in significant depth in the excellent “Offensive Network Security” and “Reverse Engineering and Malware Analysis” courses.

0x0B: Course Objectives
After taking this course, students will be able to:

        Create forensically sound disk images and memory captures

        Find and interpret common Windows and NTFS artifacts

        Carve file systems and recover deleted information

        Obtain familiarity with open source forensics tools

        Create and extract information from memory captures and hibernation files

        Produce professional reports on the results of their analysis

        Recover and analyze e-mail databases

        Understand basic anti-forensics techniques

        Detect and determine functionality of malware to the extent possible without reverse engineering

        Capture and interpret network traffic

        Configure a professional forensics workstation

        Conduct a complete forensics examination

0x0C: Course Calendar

        Week 1: Intro. to Cyber Forensics, Need & Value of Forensics, Setting up a workstation, SIFT, How do I Linux, CrashDump course in hex & hex dumps, Reporting, Evidence Seizure, Chain of Custody, FDLE guest speaker.

        Week 2: Cont. Evidence Seizure, Order of Volatility, Chain of Custody, Reporting, FDLE guest speaker if not possible in week one, secure destruction of evidence when case is completed.

        Week 3: Disk Image Forensics: Disk structure - volumes and partitions, file systems, Slack space - volume, disk, and file, Copying images, Deleted files & Deleted file recovery.

        Week 4: Disk Image Forensics: FAT32, NTFS, $USNJrnl, Alternate Data Streams

        Week 5: Disk Image Forensics: MBR, UEFI, FDE, continue disk forensics.

        Week 6: Windows Log File Analysis: Security & Event Logs, Timelining & Presenting log analyses.

        Week 7: Log File Analysis: Firewall Logs, PCAP, Crash course on the OSI stack, Databases, IIS, Applications.

        Week 8: Log File Analysis: Browser log files, OutLook PST / OST, continued log file analysis. Graduate project proposal due.

        Week 9: Win Sysinternals: Recycle Bin, Prefetch, JumpLists, Registry - Structure, Components, How to Read, LastWrite time, System Time, USB Devices, Mounted devices, Wired & Wireless network interfaces.

        Week 10: Spring break; stay safe

        Week 11: Win Sysinternals: Registry - Shellbags; Most Recently Used lists; User Assist; Jump Lists; Run, Run Once, and Run Service Keys; Internet Explorer keys

        Week 12: Win Memory Forensics: Volatile Storage, Memory Structure, Process Structure

        Week 13: Win Memory Forensics: Introduction to Volatility, Dumping files from memory, grabbing passwords from memory, Hibernation Files

        Week 14: Malware Research: OSINT research - Malware types, Virus Total, Open source reporting and documentation, Open source tools, Source Code

        Week 15: Anti-forensics: Log overwriting, Timestomping, Transmogrifying, Steganography, Encryption, Metasploit Anti-forensics framework, briefly memory anti-forensics.

        Week 16: Overflow space, Presentations of grad projects.

        Week 17: (Final Exam Week): Complete final project. Due at 5:00pm, May 4, 2018.


0x0D: Academic Honor Code

The Florida State University Academic Honor Policy outlines the University’s expectations for the integrity of students’ academic work, the procedures for resolving alleged violations of those expectations, and the rights and responsibilities of students and faculty members throughout the process. Students are responsible for reading the Academic Honor Policy and for living up to their pledge to “…be honest and truthful and … [to] strive for personal and institutional integrity at Florida State University.” (Florida State University Academic Honor Policy, found at


Assignments/projects/exams are to be done individually, unless specified otherwise. It is a violation of the Academic Honor Code to take credit for the work done by other people. It is also a violation to assist another person in violating the Code (See the FSU Student Handbook for penalties for violations of the Honor Code). The judgment for the violation of the Academic Honor Code will be done by the instructor and a third party member (another faculty member in the Computer Science Department not involved in this course). Once the judgment is made, the case is closed and no arguments from the involved parties will be heard. Examples of cheating behaviors include:


        Discuss the solution for a homework question.

        Copy programs for programming assignments.

        Use and submit existing programs/reports on the world wide web as written assignments.

        Submit programs/reports/assignments done by a third party, including hired and contracted.

        Plagiarize sentences/paragraphs from others without giving the appropriate references. Plagiarism is a serious intellectual crime and the consequences can be very substantial.


Penalty for violating the Academic Honor Code: A 0 grade for the particular assignment /exam and a reduction of one letter grade in the final grade for all parties involved for each occurrence. A report will be sent to the department chairman for further administrative actions.


0x0E: Accommodation for Disabilities

Students with disabilities needing academic accommodation should: (1) register with and provide documentation to the Student Disability Resource Center; and (2) bring a letter to the instructor indicating the need for accommodation and what type. This should be done during the first week of class. This syllabus and other class materials are available in alternative format upon request. For more information about services available to FSU students with disabilities, contact the: Student Disability Resource Center 874 Traditions Way 108 Student Services Building Florida State University Tallahassee, FL 32306-4167 (850) 644-9566 (voice) (850) 644-8504 (TDD)


0x0F: Additional Information

Free Tutoring from FSU: On-campus tutoring and writing assistance is available for many courses at Florida State University. For more information, visit the Academic Center for Excellence (ACE) Tutoring Services' comprehensive list of on-campus tutoring options at or contact High-quality tutoring is available by appointment and on a walk-in basis. These services are offered by tutors trained to encourage the highest level of individual academic success while upholding personal academic integrity.


0x10: Syllabus Change Policy: Except for changes that substantially affect implementation of the evaluation (grading) statement, this syllabus is a guide for the course and is subject to change with advance notice.