CMPS 3650 - Digital Forensics
Sections 60 and 61 - Spring 2022
Instructor and Contact Information
Instructor: Dr. Melissa Danforth (she/her)
Office Hours: MTuWThF 12:00-1:00pm via Discord (link posted on Canvas) or by appointment
Email: or
Other: You can direct message me on Discord to contact me at any time I am at a campus computer, even if it's not currently my office hours. There is also a class channel on my Discord to talk with other students about the course.

Virtual Class Information
Course LMS is Canvas. Log in to your Canvas account to access course materials.

Course meets MW 5:30-6:45pm (lecture) and F 3:00-5:30pm (lab) on Zoom (Zoom information will be posted on Canvas).

General Class Structure: Contact me if you have any issues with attending sessions, such as Internet issues, power outages, technical difficulties, work conflicts, or other university excused absences.

Webcams will not be required of students. I have also configured Zoom to allow phone call-ins and to mask phone numbers for those who have to call in to attend.

Recordings will be transferred over to Knowmia for post-processing and closed captioning before being posted to Canvas. This means there is a processing delay for the automatic video transfer between Zoom and Knowmia, and then for the manual closed captioning generation on Knowmia. Please allow 1-2 business days for the videos to be processed and posted.

The video transferred to Knowmia records the current speaker and shared screen from Zoom. This means the recording will capture anything that is said over a microphone, but it will NOT have the public chat log. If you do not wish to have your name appear in the recording, you can either public chat or private chat questions to me for me to answer during class. I'll anonymously repeat any chat questions before answering them.

Optional Group Assignments
Working in groups is optional in this course. Groups can discuss any course assignment and study groups are also allowed for the course, but group submissions of an assignment are only allowed for lab assignments (see Academic Integrity Policy below). If you do opt to work in groups, virtual collaboration options include git, Slack, Discord, Zoom, MS Teams, and so on. If you opt for a face-to-face group meeting, you must adhere to all current campus COVID-19 policies and procedures regarding face-to-face meetings.

Catalog Description
CMPS 3650 Digital Forensics (4)
Investigative techniques, evidence handling procedures, forensics tools, digital crime reconstruction, incident response, ethics, and legal guidelines within the context of digital information and computer compromises. Hands-on case studies cover a range of hardware and software platforms and teach students how to gather evidence, analyze evidence, and reconstruct incidents.
Catalog Prerequisites: CMPS 2010 with a grade of C- or better or CMPS 2650

Prerequisites by Topic
Knowledge of programming languages in C/C++ family AND/OR
Knowledge of Linux command-line interface

Units and Contact Time
4 semester units. 3 units lecture (150 minutes), 1 unit lab (150 minutes).

Class Expectations
This course is a hands-on elective course. This means it's very important to remain engaged in the course assignments, which will apply the theory from lecture to "case studies" (small examples of potential real-world scenarios). If something comes up, please communicate with me as soon as possible to avoid falling behind in the course.

Also, as an elective course, students are expected to engage in independent learning in this course and to stay up-to-date on the reading assignments. Critical thinking, independent evaluation, and troubleshooting are important traits for the cybersecurity profession. There will be many cases where there is no one "right answer" to a situation, and showing me your reasoning is as important as the conclusion you've drawn.

Since the textbook is freely available online, lectures after the first week will assume that you have completed the reading assignments. While the lectures will cover some of the textbook concepts, particularly the more complicated concepts, the lectures will primarily focus on applications of the concepts and providing a deeper understanding of the concepts. Additional materials may also be brought in from other sources during the lectures to provide more breadth and/or depth on the concepts.

Most labs will require the use of virtual machines (VMs). The department has a subscription service to VMware which provides students with a free one-year license to VMware software for Linux, Windows, and Mac. Accounts will be emailed to you at the start of the class. Steve Garcia will also install the class VM in the CEE/CS Tutoring Center, for those who cannot get the VM working on their home machine. If you have any issues with VMware, please reach out to me.

Plan to spend an average of 8-12 hours outside of class each week on this course.

Class Principles
The following principles will guide this course:

Please note that I am not a legal professional, and I am also not a licensed digital forensics investigator. The course is arranged as an academic's view of the field of digital forensics. We are also using Linux tools to keep course costs low, instead of one of the commercial tools more commonly used amongst practitioner.

Class Type
Selected elective for CS - Computer Information Systems (CIS) and CS - Information Security (IS) students. Also an upper-division course for the CS minor.

NOTE: This course is NOT an elective course for CS - Traditional students. It will only count for general university units, but will not meet the CS - Traditional elective requirements.

Required Textbook(s)

All books used for this course are freely available through the CSU O'Reilly Safari Tech Books subscription. To access that subscription, first log in to Safari with the following link: Then click on the following links to load the e-book (if you forget to log in, you'll just get a summary instead of the e-book).

Lecture textbook: Digital Archaeology: The Art and Science of Digital Forensics. Michael W. Graves. Addison-Wesley Professional, 2013, ISBN-13: 978-0-321-80390-0 (print book). Safari link:

Lab reference book: Practical Linux Forensics: A Guide for Digital Investigators. Bruce Nikkel. No Starch Press, 2021, ISBN-13: 978-1-7185-0196-6 (print book) and 978-1-7185-0197-3 (e-book). Safari link:

Recommended Textbook and Other Supplemental Materials
The following book takes more of a system administration approach to investigating cybersecurity breaches and incidents. It is written by a team of founders and security engineers from the cybersecurity firm Mandiant.
Incident Response & Computer Forensics, 3rd Edition. Jason Luttgens, Matthew Pepe, and Kevin Mandia. McGraw-Hill, 2014, ISBN-13: 978-0-07-179869-3 (print book). Safari link:

The author of the lab reference book also has an earlier book on using Linux for forensic duplication, which is useful if you want to know more about that process (we'll have one lab on this topic):
Practical Forensic Imaging. Bruce Nikkel. No Starch Press, 2016, ISBN-13: 978-1-59327-793-2. Safari link:

Supporting articles and current events relating to the course will be posted on the Canvas site.

Melissa Danforth

Student Learning Outcomes
This course covers the following ACM/IEEE CS2013 (Computer Science) Body of Knowledge student learning outcomes:

ABET Outcome Coverage
The course maps to the following student learning outcomes for Computer Science (CAC/ABET):
1. An ability to analyze a complex computing problem and to apply principles of computing and other relevant disciplines to identify solutions.
Critical thinking and analyzing a situation are foundational skills for cybersecurity which will be developed throughout this course.
4. An ability to recognize professional responsibilities and make informed judgments in computing practice based on legal and ethical principles.
Cybersecurity is intrinsically tied to ethics and legal principles. A strong ethical foundation and an understanding of relevant legal issues will be developed in this course.

Lecture Topics and Rough Schedule
WeekChapter(s)Lecture TopicsLab Topic
1 Ch 1 Digital forensics overview Installing VMware
2 Ch 2 & 3 Laws, search warrants, and subpoenas Binary representation of data
3 Ch 4 Privacy and professional ethics Linux overview
4 Ch 5 & 6 Admissibility, evidence handling, and incident response Shell scripts and forensic toolkit
5 Ch 7 Data acquisition, order of volatility, live data Live Linux data acquisition
6 Ch 7 Forensic duplication - theory and overview of tools Using dd for duplication
7 Ch 9 Analyzing document and file data Finding data hidden in files
8 Ch 8 Deleted and unlinked files, data hidden in unallocated space Recovering deleted files
9 Ch 10 Email basics and email forensics Recovering data from slack & unallocated spaces
10 Ch 11 Web server and browser details, and web forensics Analyzing application data (email and browser)
11 Ch 12 Network data and artifacts Network packet capture
12 Ch 13 Cloud-based data and artifacts Linux logs and configuration
13 Ch 14 Mobile device forensics Linux peripherals and attached devices
14 Ch 15 Anti-forensics techniques Investigate some anti-forensics
15 Ch 17, 20, 18 Report writing
(if time): Licensing and certification, and software tools
Final review session

A more detailed course schedule is posted to the Canvas site with links to each textbook chapter, outside information, and other relevant materials.

Students are responsible for their own attendance. The topics covered in lecture will be listed on Canvas. Recordings of the classes will be posted to Canvas after processing.

Civility During Discussions
Over the course of the term, there may be classroom discussions on contentious issues in cybersecurity, such as discussing various approaches to disclosing vulnerabilities. Opinions will differ, sometimes drastically, during these discussions, hence why they are matters of debate within the cybersecurity field. Students are expected to be civil to, and respectful of, one another during these discussions.

Academic Integrity Policy
Lab assignments may be optionally completed in groups. For a group lab assignment, one person in the group can turn in one submission for the entire group, but make sure everyone's name is on the submission so all members of the group receive credit for the assignment.

All other assignments are individual assignments. That means you may discuss the assignments with one another, but each student must turn in their own work in their own words. It is also okay to reference external sources in your submission, but you must appropriately paraphrase that source by expressing the information you researched in your own words.

For example, you cannot copy-and-paste from a website or copy another student's submission, but you can refer to that website and summarize what you've learned, or summarize your discussion with the other student. I even encourage you to add questions you still have, and, if I have time during grading, I'll try to customize my grading comments to answer those questions.

In summary, no direct copying from any source (other students, external sources, textbook, etc.) is allowed. Instances of direct copying that are detected may be referred to the Dean of Students as an academic integrity violation.

Refer to the Academic Integrity policy in the campus catalog and class schedule for more details. You can also refer to the Academic Integrity policy at the Dean of Students website:

Academic Accommodations
To request academic accommodations, please contact the Office of Services for Students with Disabilities (SSD) and email me an accommodations letter from the SSD Office. Policies from the SSD Office relating to accommodations, such as scheduling policies for using their testing center, must also be followed. For more information about the services and policies of the SSD Office, contact their staff by email and/or visit their website at

Basic Needs Assistance
If you are experiencing challenges related to basic needs, such as food insecurity, housing insecurity, or other challenges, there are resources available to you.

The campus Food Pantry, located next to the Student Union, is open and available to all students, staff, and faculty. Please visit the Food Pantry website for hours and information at Information about food distributions, CalFresh, and other food resources can be found at Information about food assistance at the Antelope Valley campus is at

The campus also has emergency housing available for full-time students on a first-come, first-served basis. For housing concerns, please contact Jason Watkins, Assistant Director for Basic Needs, at 654-3360 or Ashley Scott, the Assistant Director of Housing. You can find more information about housing assistance and contact email addresses at

More information on basic needs assistance is on the Basic Needs website:

Health and Well-Being
This continues to be a trying time mentally, physically, and with work / life balance issues. If you need additional time for assignments due to your current situation, please contact me to discuss the options available to you. Similarly, should something come up unexpectedly in my life that affects a class meeting, I will let everyone know through email / Discord / Canvas.

The CSUB Counseling Center has both regular-hours and after-hours counseling services available. Call 654-3366 to connect with their services. After their normal operating hours, you can press 2 at any time to connect to the after-hours service. More information is at

CSUB's Student Health Services is available for basic health care needs, at little to no cost for CSUB students. You can find more information about their services at

Current information about CSUB's COVID-19 plans, policies, and resources can be found at

Technology Assistance and Software
If you need help with technology, such as a loaner laptop and/or hotspot, ITS has programs to provide technology assistance to students. Go to the following ITS webpage to learn more about their programs:

The CEE/CS Department has academic software subscriptions available to students enrolled in CMPS and ECE courses. This currently includes Microsoft, VMware, and Mathematica. Go to the following page for more information:

CSUB ITS also many software products available to students through the Virtual Computer Lab (VCL). You will need to use your myCSUB credentials to access VCL. To see the full list of software and to access VCL, go to

Quizzes on Reading Assignments 15%
Lab Assignments 30%
Checkpoint Assignments 30%
Final Exam 25%

Grades are posted on Canvas. Note: Canvas does not penalize your grade for any ungraded assignments, so it will show your "current" overall percentage based off the classwork graded to-date.

It is your responsibility to check Canvas for grades and any comments on assignments. If you believe you submitted your assignment on time but the comment field says "assignment not received", contact me.

Flexible Due Dates
This course uses flexible due dates. Roughly speaking, you should aim to submit the assignment within two weeks of it being assigned so that you are staying on-track in the course, but Canvas will accept submissions through the end of the term.

To give me sufficient time to grade assignments submitted at the end of the term, the last day I will accept submissions of all assignments is 11:59pm Friday May 20, 2022.

Every other week, beginning in Week 2, there will be a quiz on the reading assignments and lecture topics. This quiz will be through the Canvas quiz module and is automatically graded. The lowest quiz score will be dropped.

You may work on labs in groups of up to 3 students. If you work in a group, only one student needs to submit the assignment, but make sure to put everyone's names on the assignment submission. Only the students whose names are on the assignment will get credit for the lab. If you are in a group but are not the one submitting the assignment to Canvas, you may put a comment in Canvas's Note field indicating who did submit the assignment for your group.

Submit your work to Canvas and I will grade it during my next grading session. Do NOT email your submission as the campus spam system sometimes silently blocks emails with attachments. The lowest lab grade will be dropped.

Checkpoint Assignments
Every other week, beginning in Week 3, there will be a checkpoint assignment to assess how everyone is doing in the course. These assignments will be a mix of essay questions on lecture and lab topics, as well as additional investigations into lab topics. The lowest grade will be dropped.

Canvas Submission Guidelines
Submissions must be in a standardized document format (e.g., ODT, DOC, DOCX, PDF, PNG, JPEG, etc.). Also, make sure to check your file after it has uploaded, to be sure there were no upload errors.

If you have drawn something out by hand, take a picture or use a scanner and upload the image to Canvas. Please keep the file sizes reasonable, but also make sure the image is legible.

If you submit multiple files, please name them in a fashion that indicates what they contain, e.g. lab2_drawing.jpg, lab4_part1.pdf, lab4_part2.pdf, and so on.

If you have any difficulties submitting to Canvas, contact me for help. Emailed submissions are not guaranteed to be accepted since my email volume is so high and the spam detection software can silently drop emails.

The final exam is in two parts: Part 1 is a Canvas quiz module with theoretical questions from both lecture and lab. Part 2 is a culminating lab practicum where you will conduct the given analysis and upload your written report.

The campus final exam schedule says that the final exam time slot for this course is Wednesday May 18, 2022 from 5:00-7:30pm. However, I am giving you the following windows to complete each part of the exam: It is your responsibility to log into Canvas during these windows and to complete both parts of the final exam.

If you have any connectivity, power, or technology issues that cause you to get locked out of your attempt for Part 1 of the exam and/or that prevent you from uploading a submission to Part 2, contact me as soon as possible to get that resolved.

Prepared By
Melissa Danforth on January 21, 2022.
Update history:
January 23, 2022 - Updated lab reference book to full book name instead of short book name.

Approval of Course Outline
Approved by CEE/CS Department in Spring 2014
Effective Fall 2016