You cannot register for this course anymore.
News
First Exercise Session/Tutorial on ThursdayWritten on 15.04.25 by Roman Wetenkamp Dear all, the first exercise session/tutorial (use them as synonyms) will take place on Thursday between 14:15 and 15:45. I will offer the following attendance modes:
Dear all, the first exercise session/tutorial (use them as synonyms) will take place on Thursday between 14:15 and 15:45. I will offer the following attendance modes:
You may choose a mode at your discretion and you can change that from week to week. There is no registration required. Again, the sessions are optional, but I would recommend joining them, as they might become useful for solving the exercise sheets. Please bring a laptop to the session or have a computer ready when joining online, as we will install the required tools for the semester together. You will need some free disk space for that, at least 7 GB. There is no need to install anything beforehand, but you might save some time if you have some kind of Linux system ready before. Virtualizing it suffices (even WSL will do), but running it natively will speed up the things we do. Regarding distributions, I recommend Ubuntu or Kali, but leave that to you. Finally, please note that there will not be a lecture this Friday due to the bank holiday (Good Friday). Additional service hint: Supermarkets will also be closed. ;) See you on Thursday! Best regards, |
How was Kidflix shut down?Written on 11.04.25 by Janine Schneider Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor… Read more Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor network and cryptocurrencies to remain supposedly anonymous. Investigators became aware of the platform through the so-called “Darknet Monitor”, which does exactly what the name suggests. Often the next step in such investigations is to infiltrate the platform to gather insider knowledge. In addition, similar to the Silk Road case, cryptocurrency transactions were analyzed to identify the perpetrators. A key institution involved in this case is the ZCB (Zentralstelle Cybercrime Bayern), a team of prosecutors and forensic experts who work exclusively on cybercrime cases. Together with institutions such as Europol, they were able to successfully combat this platform, which emphasizes the importance of international cooperation in such cases. Research has also contributed to this success as the Darknet Monitor, for example, was co-developed by Dutch researchers, as were cryptocurrency de-anonymization tools. Best, Janine
|
First Lecture on FridayWritten on 09.04.25 (last change on 10.04.25) by Roman Wetenkamp Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following… Read more Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following lectures will be given on Zoom. You can also attend the lectures from lecture hall 001 in E1.3. This option is especially meant to all students that have adjacent lectures on campus and to those of you that do not have a good learning environment at home. Just come and join the Zoom session from there. As I will not be there every week (this Friday I will), please bring your own laptop. The tutorials will start next week, the exercises in May. I will give you information on both on Friday. Looking forward to see you on Friday! Have a great semester start! Best regards, Roman |
IT Forensics
Have you ever wondered how criminals are caught in the digital era?
What traces do all of us leave on IT systems while interacting with them?
What is the truth behind those CSI movies we all know?
This advanced lecture deals with finding and evaluating legal evidence in IT systems for criminal prosecution.
Contents
- History, Types and Processes of IT Forensics
- Digital Traces and their Classification
- Persistent Memory (HDD, SSD, USB, Cloud, ...)
- File Systems and their Analysis
- Post-mortem vs. Live Analysis
- Digital Investigations
- Role of Technical Experts in Court
- Relevant Laws and Jurisdiction
You will not only learn about these topics in theory, but also get some hands-on experience with forensic tools like Autopsy.
The lectures and tutorials will be taught in English.
Prerequisites
There are no formal prerequisites. We recommend a working knowledge of operating systems and system architectures.
Lectures
The lectures will be held online on Fridays from 10:15 to 11:45. The first lecture will take place on April 11, 2025.
Zoom Link:
https://fau.zoom-x.de/j/61369523237
Meeting-ID: 613 6952 3237
Code: 757065
If you are on campus or would like to learn with others, you can join the sessions (on your own device) in lecture hall 001 in E1.3.
We will not record the lectures.
Tutorials
The weekly tutorials will be held on Thursdays from 14:15 to 15:45 mainly in the CISPA Lecture Hall (0.05), but on some days in other rooms. See the timetable for the up-to-date information. The first tutorial will take place on April 17, 2025. The tutorials will be in a hybrid format and recorded.
Teams Link:
Click here to join the Teams Meeting
Meeting-ID: 316 633 723 249
Code: VS9Wa77A
Some tutorials will contain practical exercises, for those you need to bring a laptop. Installation requirements will be announced in the first tutorial.
Attending the tutorials is optional, but highly recommended. You will not only get the chance to ask questions and solve exam-like exercises, but also get practical experience.
Examination
Format
The course concludes with a written final exam on campus that determines your final grade. The dates of the main exam and the re-exam will be announced in the first weeks of the semester.
Admission
Due to the high number of registrations, we needed to change the exercise sheet format. Sorry for the confusion!
Instead of usual written exercise sheets, we will have 7 online tests that you submit here on CMS.
- Most of the questions require structured input (multiple choice, pasting hash values, CTF-style flags, ...).
- Those online tests need to be solved individually. You are not allowed to work in groups. Already formed groups were deleted.
- We enforce a strict no-plagiarism and no-AI policy.
- All of these sheets will be graded in a semi-automated way.
You need to submit at least 6 of the 7 sheets and score at least 60 points to be admitted to the final exam.
Practical Sheets
You will be given three forensic images. You will analyze each of the given images using the forensic tools we discuss in the tutorials. Afterwards, you will answer some questions about the case in an online CMS test.
- You will have 12 days to solve each practical sheet.
- You can see the questions with the start of the exercise period.
- You can earn at most 20 points per sheet, resulting in a total of 60 points for the practical sheets.
Theopractical Sheets
Between the practical sheets, we will give out four exercise sheets containing smaller practical exercises and theory questions
- You will have 6 days to solve each theopractical sheet online.
- You can see the questions with the start of the exercise period.
- You can earn at most 10 points per sheet, resulting in a total of 40 points for the theopractical sheets.
Contact
If you have a question, please consider the tutorials or the forum first. If you need to write a mail, please send it to Roman, you find his address on the Team page. Expect an answer within four days and please be patient. If forum posts are still unanswered after four days, please write a "ping" mail including a link to the thread to Roman. Thanks for your understanding!