Instructor: Dr. Melissa Danforth (she/her)
Office Hours: MTuWThF 12:00-1:00pm via Discord (link posted on Canvas) or
Email: email@example.com or firstname.lastname@example.org
Other: You can direct message me on Discord to contact me at any time I am at
a campus computer, even if it's not currently my office hours. There is also
a class channel on my Discord to talk with other students about the course.
Course LMS is Canvas. Log in to your Canvas account to access course materials.
Course meets MW 5:30-6:45pm (lecture) and F 3:00-5:30pm (lab) on Zoom
(Zoom information will be posted on Canvas).
General Class Structure:
- First Monday (January 24th): Attendance is required for class overview.
- Mondays and Wednesdays (lecture days): Attendance is optional, but strongly
encouraged. Lecture will be on textbook material and additional materials
relevant to the week's topics. Lectures will be recorded.
- Fridays (lab days): Attendance is optional, but strongly encouraged.
Demos of the labs will be given over Zoom and I will be available in Zoom
/ Discord to help with labs. Think of lab days as dedicated office hours /
study group time to get the assignments completed for the course. Only
the demo will be recorded, but not any subsequent discussions.
Contact me if you have any issues with attending sessions, such as Internet
issues, power outages, technical difficulties, work conflicts, or other
university excused absences.
Webcams will not be required of students. I have also configured Zoom to allow
phone call-ins and to mask phone numbers for those who have to call in to
Recordings will be transferred over to Knowmia for post-processing and closed
captioning before being posted to Canvas. This means there is a processing
delay for the automatic video transfer between Zoom and Knowmia, and then for
the manual closed captioning generation on Knowmia. Please allow 1-2 business
days for the videos to be processed and posted.
The video transferred to Knowmia records the current speaker and shared screen
from Zoom. This means the recording will capture anything that is said over a
microphone, but it will NOT have the public chat log. If you do not wish to
have your name appear in the recording, you can either public chat or private
chat questions to me for me to answer during class. I'll anonymously repeat
any chat questions before answering them.
Working in groups is optional in this course. Groups can discuss any course
assignment and study groups are also allowed for the course, but group
submissions of an assignment are only allowed for lab assignments (see
Academic Integrity Policy below). If you do opt to work in
groups, virtual collaboration options include git, Slack, Discord, Zoom, MS
Teams, and so on. If you opt for a face-to-face group meeting, you must adhere
to all current campus COVID-19 policies and procedures regarding face-to-face
CMPS 3650 Digital Forensics (4)
Investigative techniques, evidence handling procedures, forensics tools,
digital crime reconstruction, incident response, ethics, and legal guidelines
within the context of digital information and computer compromises. Hands-on
case studies cover a range of hardware and software platforms and teach
students how to gather evidence, analyze evidence, and reconstruct incidents.
Catalog Prerequisites: CMPS 2010 with a grade of C- or better or CMPS 2650
Knowledge of programming languages in C/C++ family AND/OR
Knowledge of Linux command-line interface
4 semester units. 3 units lecture (150 minutes), 1 unit lab (150 minutes).
This course is a hands-on elective course. This means it's very important to
remain engaged in the course assignments, which will apply the theory from
lecture to "case studies" (small examples of potential real-world scenarios).
If something comes up, please communicate with me as soon as possible to avoid
falling behind in the course.
Also, as an elective course, students are expected to engage in independent
learning in this course and to stay up-to-date on the reading assignments.
Critical thinking, independent evaluation, and troubleshooting are
important traits for the cybersecurity profession. There will be many cases
where there is no one "right answer" to a situation, and showing me your
reasoning is as important as the conclusion you've drawn.
Since the textbook is freely available online, lectures after the first week
will assume that you have completed the reading assignments. While the
lectures will cover some of the textbook concepts, particularly the more
complicated concepts, the lectures will primarily focus on applications of the
concepts and providing a deeper understanding of the concepts.
Additional materials may also be brought in from other sources during the
lectures to provide more breadth and/or depth on the concepts.
Most labs will require the use of virtual machines (VMs). The department has
a subscription service to VMware which provides students with a free one-year
license to VMware software for Linux, Windows, and Mac. Accounts will be
emailed to you at the start of the class. Steve Garcia will also install the
class VM in the CEE/CS Tutoring Center, for those who cannot get the VM
working on their home machine. If you have any issues with VMware, please
reach out to me.
Plan to spend an average of 8-12 hours outside of class each week on this
The following principles will guide this course:
- Communication: I understand if something unexpected has come
up that interferes with your course work. Please communicate with me as
soon as possible though, so we can discuss extensions and other options
for moving forward in the course. Keep the lines of communication
- Respect: There are many situations in cybersecurity where
differing, but equally valid, opinions may exist. Respect the rights
of others to form different conclusions than your own.
- Critical Thinking: While there may be some rote assignments
in this course, many assignments will require applying critical
thinking and analysis skills. My grading approach for those "thinking
questions" is more about seeing your thought process than seeking
Please note that I am not a legal professional, and I am also not a licensed
digital forensics investigator. The course is arranged as an academic's view of
the field of digital forensics. We are also using Linux tools to keep course
costs low, instead of one of the commercial tools more commonly used amongst
Selected elective for CS - Computer Information Systems (CIS) and CS -
Information Security (IS) students. Also an upper-division course for
the CS minor.
: This course is NOT
an elective course
for CS - Traditional students. It will only count for general university
units, but will not meet the CS - Traditional elective requirements.
All books used for this course are freely available through the CSU O'Reilly
Safari Tech Books subscription. To access that subscription, first log in to
Safari with the following link:
Then click on the following links to load the e-book (if you forget to
log in, you'll just get a summary instead of the e-book).
Lecture textbook: Digital Archaeology: The Art and Science of Digital Forensics.
Michael W. Graves. Addison-Wesley Professional, 2013, ISBN-13:
978-0-321-80390-0 (print book). Safari link:
Lab reference book: Practical Linux Forensics: A Guide for Digital Investigators.
Bruce Nikkel. No Starch Press, 2021, ISBN-13: 978-1-7185-0196-6 (print book) and
978-1-7185-0197-3 (e-book). Safari link:
The following book takes more of a system administration approach to
investigating cybersecurity breaches and incidents. It is written by a team
of founders and security engineers from the cybersecurity firm Mandiant.
Incident Response & Computer Forensics, 3rd Edition. Jason Luttgens,
Matthew Pepe, and Kevin Mandia. McGraw-Hill, 2014, ISBN-13:
978-0-07-179869-3 (print book). Safari link:
The author of the lab reference book also has an earlier book on using Linux
for forensic duplication, which is useful if you want to know more about
that process (we'll have one lab on this topic):
Practical Forensic Imaging. Bruce Nikkel. No Starch Press, 2016,
ISBN-13: 978-1-59327-793-2. Safari link:
Supporting articles and current events relating to the course will be posted
on the Canvas site.
This course covers the following ACM/IEEE CS2013 (Computer Science)
Body of Knowledge student learning outcomes:
- CS-IAS/Foundational Concepts in Security
- [Familiarity] Describe the concepts of risk, threats,
vulnerabilities and attack vectors (including the fact that there
is no such thing as perfect security).
- [Familiarity] Describe important ethical issues to consider in
- CS-IAS/Digital Forensics
- [Familiarity] Describe what a digital investigation is, the sources
of digital evidence, and the limitations of forensics.
- [Familiarity] Describe the legal requirements for use of seized
- [Familiarity] Describe the process of evidence seizure from the
time when the requirement was identified to the disposition of
- [Familiarity] Describe how data collection is accomplished and the
proper storage of the original and forensics copy.
- [Familiarity] Describe a person's responsibility and liability
while testifying as a forensics examiner.
- [Usage] Conduct data collection on a hard drive.
- [Usage] Recover data based on a given search term from an imaged
- [Usage] Reconstruct application history from application artifacts.
- [Usage] Reconstruct web browsing history from web artifacts.
- [Usage] Capture and interpret network traffic.
- [Familiarity] Discuss the challenges associated with mobile device
- [Familiarity] Identify anti-forensics methods.
- CS-SP/Professional Ethics
- [Familiarity] Describe the mechanisms that typically exist for a
professional to keep up-to-date.
- [Familiarity] Describe the strengths and weaknesses of relevant
professional codes as expressions of professionalism and guides
- [Familiarity] Describe the consequences of inappropriate
- [Usage] Examine various forms of professional credentialing
(if sufficient time at end of course)
- CS-SP/Security Policies, Laws and Computer Crimes
- [Familiarity] Identify laws that apply to computer crimes.
- [Familiarity] Examine the ethical and legal issues surrounding
the misuse of access and various breaches in security.
- [Familiarity] Discuss the professional's role in security and
the trade-offs involved.
The course maps to the following student learning outcomes for Computer Science
- 1. An ability to analyze a complex computing problem and to apply principles
of computing and other relevant disciplines to identify solutions.
Critical thinking and analyzing a situation are foundational skills for
cybersecurity which will be developed throughout this course.
- 4. An ability to recognize professional responsibilities and make informed
judgments in computing practice based on legal and ethical principles.
Cybersecurity is intrinsically tied to ethics and legal principles. A strong
ethical foundation and an understanding of relevant legal issues will
be developed in this course.
|Week||Chapter(s)||Lecture Topics||Lab Topic|
||Digital forensics overview
||Ch 2 & 3
||Laws, search warrants, and subpoenas
||Binary representation of data
||Privacy and professional ethics
||Ch 5 & 6
||Admissibility, evidence handling, and incident response
||Shell scripts and forensic toolkit
||Data acquisition, order of volatility, live data
||Live Linux data acquisition
||Forensic duplication - theory and overview of tools
||Using dd for duplication
||Analyzing document and file data
||Finding data hidden in files
||Deleted and unlinked files, data hidden in unallocated space
||Recovering deleted files
||Email basics and email forensics
||Recovering data from slack & unallocated spaces
||Web server and browser details, and web forensics
||Analyzing application data (email and browser)
||Network data and artifacts
||Network packet capture
||Cloud-based data and artifacts
||Linux logs and configuration
||Mobile device forensics
||Linux peripherals and attached devices
||Investigate some anti-forensics
||Ch 17, 20, 18
(if time): Licensing and certification, and software tools
|Final review session
A more detailed course schedule is posted to the Canvas site with links to
each textbook chapter, outside information, and other relevant materials.
Students are responsible for their own attendance. The topics covered
in lecture will be listed on Canvas. Recordings of the classes will be
posted to Canvas after processing.
Over the course of the term, there may be classroom discussions on
contentious issues in cybersecurity, such as discussing various approaches
to disclosing vulnerabilities. Opinions will differ, sometimes drastically,
during these discussions, hence why they are matters of debate within the
cybersecurity field. Students are expected to be civil to, and respectful
of, one another during these discussions.
Lab assignments may be optionally completed in groups. For a group lab
assignment, one person in the group can turn in one submission for the entire
group, but make sure everyone's name is on the submission so all members of
the group receive credit for the assignment.
All other assignments are individual assignments. That means you may discuss
the assignments with one another, but each student must turn in their own work
in their own words. It is also okay to reference external sources in your
submission, but you must appropriately paraphrase that source by expressing
the information you researched in your own words.
For example, you cannot copy-and-paste from a website or copy another student's
submission, but you can refer to that website and summarize what you've
learned, or summarize your discussion with the other student. I even encourage
you to add questions you still have, and, if I have time during grading, I'll
try to customize my grading comments to answer those questions.
In summary, no direct copying from any source (other students, external
sources, textbook, etc.) is allowed. Instances of direct copying that are
detected may be referred to the Dean of Students as an academic integrity
Refer to the Academic Integrity policy in the campus catalog and class
schedule for more details. You can also refer to the Academic Integrity
policy at the Dean of Students website:
To request academic accommodations, please contact the Office of Services
for Students with Disabilities (SSD) and email me an accommodations letter from
the SSD Office. Policies from the SSD Office relating to accommodations, such
as scheduling policies for using their testing center, must also be followed.
For more information about the services and policies of the SSD Office, contact
their staff by email and/or visit their website at
If you are experiencing challenges related to basic needs, such as food
insecurity, housing insecurity, or other challenges, there are resources
available to you.
The campus Food Pantry, located next to the Student Union, is open and
available to all students, staff, and faculty. Please visit the
Food Pantry website for hours and information at
Information about food distributions, CalFresh, and other food resources
can be found at
Information about food assistance at the Antelope Valley campus is at
The campus also has emergency housing available for full-time students on a
first-come, first-served basis.
For housing concerns, please contact Jason Watkins, Assistant Director for
Basic Needs, at 654-3360 or Ashley Scott, the Assistant Director of Housing.
You can find more information about housing assistance and contact email
More information on basic needs assistance is on the Basic Needs website:
This continues to be a trying time mentally, physically, and with work / life
balance issues. If you need additional time for assignments due to your
current situation, please contact me to discuss the options available to you.
Similarly, should something come up unexpectedly in my life that affects a
class meeting, I will let everyone know through email / Discord / Canvas.
The CSUB Counseling Center has both regular-hours and after-hours counseling
services available. Call 654-3366 to connect with their services. After their
normal operating hours, you can press 2 at any time to connect to the
after-hours service. More information is at
CSUB's Student Health Services is available for basic health care needs,
at little to no cost for CSUB students. You can find more information about
their services at
Current information about CSUB's COVID-19 plans, policies, and resources can
be found at
If you need help with technology, such as a loaner laptop and/or hotspot, ITS
has programs to provide technology assistance to students. Go to the following
ITS webpage to learn more about their programs:
The CEE/CS Department has academic software subscriptions available to students
enrolled in CMPS and ECE courses. This currently includes Microsoft, VMware,
and Mathematica. Go to the following page for more information:
CSUB ITS also many software products available to students through the Virtual
Computer Lab (VCL). You will need to use your myCSUB credentials to access
VCL. To see the full list of software and to access VCL, go to
|Quizzes on Reading Assignments|| 15%
|Lab Assignments|| 30%
|Checkpoint Assignments|| 30%
|Final Exam|| 25%
Grades are posted on Canvas. Note: Canvas does not penalize your grade for
any ungraded assignments, so it will show your "current" overall percentage
based off the classwork graded to-date.
It is your responsibility to check Canvas for grades and any comments on
assignments. If you believe you submitted your assignment on time but the
comment field says "assignment not received", contact me.
This course uses flexible due dates. Roughly speaking, you should aim to
submit the assignment within two weeks of it being assigned so that you are
staying on-track in the course, but Canvas will accept submissions through
the end of the term.
To give me sufficient time to grade assignments submitted at the end of the
term, the last day I will accept submissions of all assignments is 11:59pm
Friday May 20, 2022.
Every other week, beginning in Week 2, there will be a quiz on the reading
assignments and lecture topics. This quiz will be through the Canvas quiz
module and is automatically graded. The lowest quiz score will be dropped.
You may work on labs in groups of up to 3 students. If you work in a group,
only one student needs to submit the assignment, but make sure to put
everyone's names on the assignment submission. Only the students whose names
are on the assignment will get credit for the lab. If you are in a group but
are not the one submitting the assignment to Canvas, you may put a comment
in Canvas's Note field indicating who did submit the assignment for your
Submit your work to Canvas and I will grade it during my next grading session.
Do NOT email your submission as the campus spam system sometimes silently
blocks emails with attachments. The lowest lab grade will be dropped.
Every other week, beginning in Week 3, there will be a checkpoint assignment
to assess how everyone is doing in the course. These assignments will be a
mix of essay questions on lecture and lab topics, as well as additional
investigations into lab topics. The lowest grade will be dropped.
Submissions must be in a standardized document format (e.g., ODT, DOC, DOCX,
PDF, PNG, JPEG, etc.). Also, make sure to check your file after it has
uploaded, to be sure there were no upload errors.
If you have drawn something out by hand, take a picture or use a scanner and
upload the image to Canvas. Please keep the file sizes reasonable, but also
make sure the image is legible.
If you submit multiple files, please name them in a fashion that indicates
what they contain, e.g. lab2_drawing.jpg, lab4_part1.pdf, lab4_part2.pdf,
and so on.
If you have any difficulties submitting to Canvas, contact me for help.
Emailed submissions are not guaranteed to be accepted since my email volume
is so high and the spam detection software can silently drop emails.
The final exam is in two parts: Part 1 is a Canvas quiz module with
theoretical questions from both lecture and lab. Part 2 is a culminating
lab practicum where you will conduct the given analysis and upload your
The campus final exam schedule says that the final exam time slot for this
course is Wednesday May 18, 2022 from 5:00-7:30pm. However, I am giving you
the following windows to complete each part of the exam:
- Part 1 will be available from 12:01am Wednesday May 18th until
11:59pm Friday May 20th and will be taken as a Canvas quiz. (3 day
- Part 2 will be posted to Canvas on Friday May 6th and will be due at
11:59pm on Friday May 20th. This will be a Canvas assignment where you
will need to upload a report as your submission. (2 week window)
It is your responsibility to log into Canvas during these windows and to
complete both parts of the final exam.
If you have any connectivity, power, or technology issues that cause you to
get locked out of your attempt for Part 1 of the exam and/or that prevent you
from uploading a submission to Part 2, contact me as soon as possible to get
Melissa Danforth on January 21, 2022.
January 23, 2022 - Updated lab reference book to full book name instead of
short book name.
Approved by CEE/CS Department in Spring 2014
Effective Fall 2016