News
Cancelled: Exercise Session on May 8Written on 06.05.25 by Roman Wetenkamp Dear students, unfortunately, I need to cancel the exercise session this week (May 8) due to sickness. I am sorry for the inconvenience. If you have questions on the first practical sheet or the lectures, please visit the forum first, read related posts and if not asked yet, consider posting… Read more Dear students, unfortunately, I need to cancel the exercise session this week (May 8) due to sickness. I am sorry for the inconvenience. If you have questions on the first practical sheet or the lectures, please visit the forum first, read related posts and if not asked yet, consider posting your question there (if you are not giving away solutions). You can also send me mails if necessary. In general, everything I have seen so far in your online tests and proof-of-work submissions looks very good. Next week we will cover the last three lectures and go over the solutions for the hacking case and the first practical sheet. Thanks for your understanding. Have a great week! Best regards, |
First Assignment, Exercise Session Room, and Tentative Exam DatesWritten on 02.05.25 (last change on 03.05.25) by Roman Wetenkamp Dear students, here are three news items I would like to announce: First Practical Sheet The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit… Read more Dear students, here are three news items I would like to announce: First Practical Sheet The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit both. The scenario will be about rhinographic material - a safe replacement for child porn crimes, an important aspect of forensic work. I would recommend to use Autopsy for this practical sheet, but there are also other tools that you can use. You will also need to do some research in the internet and probably use some other tools in addition. While the GUI version of Autopsy is recommended, the web-UI version will likely suffice too. Please do not post partial solutions or questions containing solutions in the forum. Clarification (May 3rd): The questions for the assignment are available in the online test that you find on your personal status page. You can open this test and edit your answers arbitrarily often without any other time limit than May 14. Additionally, I will upload a PDF print in CMS, but that is just for your convenience. Do not hesitate to open the test now to see what the questions look like.
Exercise Session Room As mentioned last time, we will not have the CISPA lecture hall next week (May 8). Instead, we will have the lecture hall 003 in E1.3. Thanks to the one student pointing out to me that it is free. :) All dates and rooms in the timetable were updated. Make sure to load a new *.ics file if you added it to your own calendar.
Tentative Exam Dates The final exam will likely take place on August 8, between 10 and 12. I am still missing the university's final confirmation, but I do not expect that to change. We will also offer a re-exam that will likely take place on September 24 in the afternoon. I will inform you once everything is fixed and the registration on CMS/LSF is open.
Have a great weekend and see you on Thursday! Best regards, |
How was Kidflix shut down?Written on 11.04.25 by Janine Schneider Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor… Read more Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor network and cryptocurrencies to remain supposedly anonymous. Investigators became aware of the platform through the so-called “Darknet Monitor”, which does exactly what the name suggests. Often the next step in such investigations is to infiltrate the platform to gather insider knowledge. In addition, similar to the Silk Road case, cryptocurrency transactions were analyzed to identify the perpetrators. A key institution involved in this case is the ZCB (Zentralstelle Cybercrime Bayern), a team of prosecutors and forensic experts who work exclusively on cybercrime cases. Together with institutions such as Europol, they were able to successfully combat this platform, which emphasizes the importance of international cooperation in such cases. Research has also contributed to this success as the Darknet Monitor, for example, was co-developed by Dutch researchers, as were cryptocurrency de-anonymization tools. Best, Janine
|
First Lecture on FridayWritten on 09.04.25 (last change on 10.04.25) by Roman Wetenkamp Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following… Read more Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following lectures will be given on Zoom. You can also attend the lectures from lecture hall 001 in E1.3. This option is especially meant to all students that have adjacent lectures on campus and to those of you that do not have a good learning environment at home. Just come and join the Zoom session from there. As I will not be there every week (this Friday I will), please bring your own laptop. The tutorials will start next week, the exercises in May. I will give you information on both on Friday. Looking forward to see you on Friday! Have a great semester start! Best regards, Roman |
IT Forensics
Have you ever wondered how criminals are caught in the digital era?
What traces do all of us leave on IT systems while interacting with them?
What is the truth behind those CSI movies we all know?
This advanced lecture deals with finding and evaluating legal evidence in IT systems for criminal prosecution.
Contents
- History, Types and Processes of IT Forensics
- Digital Traces and their Classification
- Persistent Memory (HDD, SSD, USB, Cloud, ...)
- File Systems and their Analysis
- Post-mortem vs. Live Analysis
- Digital Investigations
- Role of Technical Experts in Court
- Relevant Laws and Jurisdiction
You will not only learn about these topics in theory, but also get some hands-on experience with forensic tools like Autopsy.
The lectures and tutorials will be taught in English.
Prerequisites
There are no formal prerequisites. We recommend a working knowledge of operating systems and system architectures.
Lectures
The lectures will be held online on Fridays from 10:15 to 11:45. The first lecture will take place on April 11, 2025.
Zoom Link:
https://fau.zoom-x.de/j/61369523237
Meeting-ID: 613 6952 3237
Code: 757065
If you are on campus or would like to learn with others, you can join the sessions (on your own device) in lecture hall 001 in E1.3.
We will not record the lectures.
Tutorials
The weekly tutorials will be held on Thursdays from 14:15 to 15:45 mainly in the CISPA Lecture Hall (0.05), but on some days in other rooms. See the timetable for the up-to-date information. The first tutorial will take place on April 17, 2025. The tutorials will be in a hybrid format and recorded.
Teams Link:
Click here to join the Teams Meeting
Meeting-ID: 316 633 723 249
Code: VS9Wa77A
Some tutorials will contain practical exercises, for those you need to bring a laptop. Installation requirements will be announced in the first tutorial.
Attending the tutorials is optional, but highly recommended. You will not only get the chance to ask questions and solve exam-like exercises, but also get practical experience.
Examination
Format
The course concludes with a written final exam on campus that determines your final grade.
Main Exam:
August 8, 10:00-12:00 in GHH + E1.3 HS 003
Re-Exam:
September 24, 14:00-16:00 in GHH
Admission
Due to the high number of registrations, we needed to change the exercise sheet format. Sorry for the confusion!
Instead of usual written exercise sheets, we will have 7 online tests that you submit here on CMS.
- Most of the questions require structured input (multiple choice, pasting hash values, CTF-style flags, ...).
- Those online tests need to be solved individually. You are not allowed to work in groups. Already formed groups were deleted.
- We enforce a strict no-plagiarism and no-AI policy.
- All of these sheets will be graded in a semi-automated way.
You need to submit at least 6 of the 7 sheets and score at least 60 points to be admitted to the final exam.
Practical Sheets
You will be given three forensic images. You will analyze each of the given images using the forensic tools we discuss in the tutorials. Afterwards, you will answer some questions about the case in an online CMS test.
- You will have 12 days to solve each practical sheet.
- You can see the questions with the start of the exercise period.
- You can earn at most 20 points per sheet, resulting in a total of 60 points for the practical sheets.
Theopractical Sheets
Between the practical sheets, we will give out four exercise sheets containing smaller practical exercises and theory questions
- You will have 6 days to solve each theopractical sheet online.
- You can see the questions with the start of the exercise period.
- You can earn at most 10 points per sheet, resulting in a total of 40 points for the theopractical sheets.
Contact
If you have a question, please consider the tutorials or the forum first. If you need to write a mail, please send it to Roman, you find his address on the Team page. Expect an answer within four days and please be patient. If forum posts are still unanswered after four days, please write a "ping" mail including a link to the thread to Roman. Thanks for your understanding!