Digital Forensics and Incident Response

🎯 Course Overview

This course provides students with the theoretical foundation and hands-on practice required to conduct forensic investigations on compromised digital systems. Learners will perform evidence collection, disk and memory analysis, and log correlation to identify attack patterns. The course emphasizes chain of custody, proper documentation, and forensic reporting.

🧠 Learning Outcomes

By the end of this course, learners will be able to:

  1. Understand digital forensics principles and investigation methodologies.

  2. Acquire, preserve, and verify digital evidence while maintaining chain of custody.

  3. Perform file system, memory, and network forensic analysis.

  4. Identify artifacts of intrusion and data exfiltration.

  5. Prepare and present professional forensic reports.

πŸ“… Weekly Module Plan

Week 1 β€” Introduction to Digital Forensics

Topics:

  • Role of digital forensics in cybersecurity

  • Investigation process & lifecycle

  • Chain of custody and evidence handling

  • Legal and ethical considerations (Indian IT Act 2000, evidence admissibility)

Lab 1:

  • Set up a forensic lab environment (Autopsy, FTK Imager, Kali Linux tools).

  • Create a case file and evidence folder structure.

Assignment:
Document chain-of-custody form for a given scenario.

Week 2 β€” Disk & File System Forensics

Topics:

  • File systems (NTFS, FAT32, EXT4)

  • Deleted file recovery, hidden data, slack space

  • Metadata analysis (timestamps, MFT records)

Lab 2:

  • Acquire a disk image using FTK Imager or dd.

  • Recover deleted files and verify integrity using hash values.

Quiz 1: Forensic evidence handling and file systems.

Week 3 β€” Memory Forensics

Topics:

  • Memory acquisition techniques

  • Volatile data collection

  • Analysis using Volatility Framework

  • Identifying running processes, network connections, injected code

Lab 3:

  • Capture RAM image using DumpIt/Belkasoft tools.

  • Analyze with Volatility (pslist, netscan, dlllist, malfind).

Assignment:
Report suspicious activity found in memory analysis.

Week 4 β€” Log & Network Forensics

Topics:

  • Windows and Linux log analysis

  • Web and email log tracing

  • Network capture analysis (Wireshark, tcpdump)

  • Correlating events across multiple logs

Lab 4:

  • Analyze web server access logs for intrusion attempts.

  • Correlate PCAP data with host logs to identify attack timeline.

Quiz 2: Event correlation and log forensics.

Week 5 β€” Mobile & Cloud Forensics

Topics:

  • Mobile OS architecture (Android/iOS)

  • Data acquisition (logical, physical, file-system extraction)

  • Cloud evidence challenges (jurisdiction, SaaS artifacts)

Lab 5:

  • Simulate mobile extraction using free tools (e.g., MOBILedit demo, Autopsy mobile plugin).

  • Examine app data and message recovery examples.

Assignment:
Write a brief on challenges in cross-border digital investigations.

Week 6 β€” Reporting & Incident Response Integration

Topics:

  • Documentation and report writing

  • Timeline reconstruction

  • Incident response coordination (NIST framework)

  • Case presentation & defense

Lab 6 (Capstone):

  • Analyze a simulated intrusion case (provided disk image + logs).

  • Identify attack path, artifacts, and create a full forensic report.

Final Project:

Forensic Investigation Report β€” β€œRansomware Incident on Compromised Windows Host.”
Deliverables: Case notes, evidence chain, timeline, and executive summary.