News
Practical Sheet #2, Points for Theopractical Sheet #2, and Announcements from YesterdayWritten on 31.05.25 by Roman Wetenkamp Dear students, here are a couple of announcements! :) Practical Sheet #2 As you have seen, the practical sheet 2 started yesterday. You have time until June 11 to submit your proof-of-work file and your answers in the online test. Please read the forum on a regular basis, as there might be… Read more Dear students, here are a couple of announcements! :) Practical Sheet #2 As you have seen, the practical sheet 2 started yesterday. You have time until June 11 to submit your proof-of-work file and your answers in the online test. Please read the forum on a regular basis, as there might be some clarifications on some exercises. Also feel free to post your questions there if you have some. I would recommend to start early, as the complexity and image sizes are a bit higher compared to the previous exercises. Theopractical Sheet #2 I have just released the feedback and the points for the theopractical sheet #2. There were a couple of problems in exercise 1, I will go over them next Thursday. I will release a sample solution with references for all devices in CMS soon. Before you complain via mail for the grading there, please double-check the following:
If you answer all these questions with yes and are very sure that you have another valid solution, please send me an email with a link to an online resource that supports your answer. In any other case, please do not send me mails about your individual points. Remember that we will have the clearing session in front of the exam. Thanks! Exam Registration The LSF registration for the final exam is already open (search for "IT-Forensik"). If you would like to take the exam, you have to register at least one week in advance of the exam. You are admitted to the exam if you score at least 60/100 points in the exercise sheets and have submitted six proof-of-work files in total by the end of the lecture period. It is your own responsibility to de-register in advance if you do not score enough points for the exam admission. According to university regulations, taking an exam without admission can be considered fraud. Exercise Session Room Change The next exercise session on June 5 takes again place in E1.3, HS 003 and virtually via Teams. Happy to see you there! Now please enjoy the rest of the weekend! Hope you are not unintentionally walking through the rain :D Best regards,
|
Cellebrite AnalysisWritten on 30.05.25 by Janine Schneider Hi all,
here is the link to the Signal block article I mentioned today in the lecture: https://signal.org/blog/cellebrite-vulnerabilities/
Best, Janine |
Note on Thesis and Hiwi Position InquiriesWritten on 15.05.25 by Janine Schneider Dear all,
Thank you very much for your interest and for the many inquiries I’ve received recently. I truly appreciate the engagement — however, the volume has become too high for me to respond individually. To clarify:
Dear all,
Thank you very much for your interest and for the many inquiries I’ve received recently. I truly appreciate the engagement — however, the volume has become too high for me to respond individually. To clarify:
Thank you for your understanding.
Best, Janine |
First Assignment is gradedWritten on 15.05.25 (last change on 15.05.25) by Roman Wetenkamp Dear students, the results for the first exercise sheet are published. You find a feedback file on your personal status page. I also uploaded a short solution file to the Materials section that indicates what I expected where. Additionally, I will cover all questions in today's exercise… Read more Dear students, the results for the first exercise sheet are published. You find a feedback file on your personal status page. I also uploaded a short solution file to the Materials section that indicates what I expected where. Additionally, I will cover all questions in today's exercise session. As some have already started doing so: Please refrain from sending me mails with individual complaints on gradings. You can talk to me before and after every exercise session. Additionally, we will have a "clearing session" in front of the exam where I am happy to fix grading problems of all sheets in case you need the points for the exam admission. If you got admitted by then already, please just keep in mind that you were doing a great job and silly Roman was just unable to recognize it. ;) Thanks for your understanding! Best regards,
|
First Assignment Deadline approaches + Exercise Session in E1.3, HS 003 on May 15Written on 13.05.25 by Roman Wetenkamp Dear students, as you probably know, the first assignment is due Wednesday evening (23:59). The forum contains some posts with comments on almost every question, so if you have any question, visit the forum first please. As of now, 100 people that have taken the online test have not submitted a… Read more Dear students, as you probably know, the first assignment is due Wednesday evening (23:59). The forum contains some posts with comments on almost every question, so if you have any question, visit the forum first please. As of now, 100 people that have taken the online test have not submitted a proof of work file yet. This is a gentle reminder: I can only consider your solution if you submit both the online test and the proof of work file until tomorrow evening! There are no fixed comprehensiveness or formatting requirements, but please make sure that I can review how and that you did your work. The next sheet will be released right after this week's exercise session on Thursday. You will then have time until next Wednesday (May 21st) to submit your answers and proof-of-work files. Please note that this week's exercise session on Thursday will take place in E1.3, lecture hall 003 and not in the CISPA building. As usual, you can also join online or watch the recording afterwards. And, by the way, the exam dates were confirmed. The exam will take place on August 8, the re-exam on September 24. Take care and enjoy the sun! Best regards, |
First Assignment, Exercise Session Room, and Tentative Exam DatesWritten on 02.05.25 (last change on 03.05.25) by Roman Wetenkamp Dear students, here are three news items I would like to announce: First Practical Sheet The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit… Read more Dear students, here are three news items I would like to announce: First Practical Sheet The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit both. The scenario will be about rhinographic material - a safe replacement for child porn crimes, an important aspect of forensic work. I would recommend to use Autopsy for this practical sheet, but there are also other tools that you can use. You will also need to do some research in the internet and probably use some other tools in addition. While the GUI version of Autopsy is recommended, the web-UI version will likely suffice too. Please do not post partial solutions or questions containing solutions in the forum. Clarification (May 3rd): The questions for the assignment are available in the online test that you find on your personal status page. You can open this test and edit your answers arbitrarily often without any other time limit than May 14. Additionally, I will upload a PDF print in CMS, but that is just for your convenience. Do not hesitate to open the test now to see what the questions look like.
Exercise Session Room As mentioned last time, we will not have the CISPA lecture hall next week (May 8). Instead, we will have the lecture hall 003 in E1.3. Thanks to the one student pointing out to me that it is free. :) All dates and rooms in the timetable were updated. Make sure to load a new *.ics file if you added it to your own calendar.
Tentative Exam Dates The final exam will likely take place on August 8, between 10 and 12. I am still missing the university's final confirmation, but I do not expect that to change. We will also offer a re-exam that will likely take place on September 24 in the afternoon. I will inform you once everything is fixed and the registration on CMS/LSF is open.
Have a great weekend and see you on Thursday! Best regards, |
How was Kidflix shut down?Written on 11.04.25 by Janine Schneider Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor… Read more Dear all, as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor network and cryptocurrencies to remain supposedly anonymous. Investigators became aware of the platform through the so-called “Darknet Monitor”, which does exactly what the name suggests. Often the next step in such investigations is to infiltrate the platform to gather insider knowledge. In addition, similar to the Silk Road case, cryptocurrency transactions were analyzed to identify the perpetrators. A key institution involved in this case is the ZCB (Zentralstelle Cybercrime Bayern), a team of prosecutors and forensic experts who work exclusively on cybercrime cases. Together with institutions such as Europol, they were able to successfully combat this platform, which emphasizes the importance of international cooperation in such cases. Research has also contributed to this success as the Darknet Monitor, for example, was co-developed by Dutch researchers, as were cryptocurrency de-anonymization tools. Best, Janine
|
First Lecture on FridayWritten on 09.04.25 (last change on 10.04.25) by Roman Wetenkamp Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following… Read more Dear students, a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course. The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following lectures will be given on Zoom. You can also attend the lectures from lecture hall 001 in E1.3. This option is especially meant to all students that have adjacent lectures on campus and to those of you that do not have a good learning environment at home. Just come and join the Zoom session from there. As I will not be there every week (this Friday I will), please bring your own laptop. The tutorials will start next week, the exercises in May. I will give you information on both on Friday. Looking forward to see you on Friday! Have a great semester start! Best regards, Roman |
IT Forensics
Have you ever wondered how criminals are caught in the digital era?
What traces do all of us leave on IT systems while interacting with them?
What is the truth behind those CSI movies we all know?
This advanced lecture deals with finding and evaluating legal evidence in IT systems for criminal prosecution.
Contents
- History, Types and Processes of IT Forensics
- Digital Traces and their Classification
- Persistent Memory (HDD, SSD, USB, Cloud, ...)
- File Systems and their Analysis
- Post-mortem vs. Live Analysis
- Digital Investigations
- Role of Technical Experts in Court
- Relevant Laws and Jurisdiction
You will not only learn about these topics in theory, but also get some hands-on experience with forensic tools like Autopsy.
The lectures and tutorials will be taught in English.
Prerequisites
There are no formal prerequisites. We recommend a working knowledge of operating systems and system architectures.
Lectures
The lectures will be held online on Fridays from 10:15 to 11:45. The first lecture will take place on April 11, 2025.
Zoom Link:
https://fau.zoom-x.de/j/61369523237
Meeting-ID: 613 6952 3237
Code: 757065
If you are on campus or would like to learn with others, you can join the sessions (on your own device) in lecture hall 001 in E1.3.
We will not record the lectures.
Tutorials
The weekly tutorials will be held on Thursdays from 14:15 to 15:45 mainly in the CISPA Lecture Hall (0.05), but on some days in other rooms. See the timetable for the up-to-date information. The first tutorial will take place on April 17, 2025. The tutorials will be in a hybrid format and recorded.
Teams Link:
Click here to join the Teams Meeting
Meeting-ID: 316 633 723 249
Code: VS9Wa77A
Some tutorials will contain practical exercises, for those you need to bring a laptop. Installation requirements will be announced in the first tutorial.
Attending the tutorials is optional, but highly recommended. You will not only get the chance to ask questions and solve exam-like exercises, but also get practical experience.
Examination
Format
The course concludes with a written final exam on campus that determines your final grade.
Main Exam:
August 8, 10:00-12:00 in GHH + E1.3 HS 003
Re-Exam:
September 24, 14:00-16:00 in GHH
Admission
Due to the high number of registrations, we needed to change the exercise sheet format. Sorry for the confusion!
Instead of usual written exercise sheets, we will have 7 online tests that you submit here on CMS.
- Most of the questions require structured input (multiple choice, pasting hash values, CTF-style flags, ...).
- Those online tests need to be solved individually. You are not allowed to work in groups. Already formed groups were deleted.
- We enforce a strict no-plagiarism and no-AI policy.
- All of these sheets will be graded in a semi-automated way.
You need to submit at least 6 of the 7 sheets and score at least 60 points to be admitted to the final exam.
Practical Sheets
You will be given three forensic images. You will analyze each of the given images using the forensic tools we discuss in the tutorials. Afterwards, you will answer some questions about the case in an online CMS test.
- You will have 12 days to solve each practical sheet.
- You can see the questions with the start of the exercise period.
- You can earn at most 20 points per sheet, resulting in a total of 60 points for the practical sheets.
Theopractical Sheets
Between the practical sheets, we will give out four exercise sheets containing smaller practical exercises and theory questions
- You will have 6 days to solve each theopractical sheet online.
- You can see the questions with the start of the exercise period.
- You can earn at most 10 points per sheet, resulting in a total of 40 points for the theopractical sheets.
Contact
If you have a question, please consider the tutorials or the forum first. If you need to write a mail, please send it to Roman, you find his address on the Team page. Expect an answer within four days and please be patient. If forum posts are still unanswered after four days, please write a "ping" mail including a link to the thread to Roman. Thanks for your understanding!