News

Points for Practical Sheet #2, Theopractical Sheet #3 and Exam Admission

Written on 19.06.25 by Roman Wetenkamp

Dear students,

I have just released the points for Practical Sheet #2 and Theopractical Sheet #3. You find the solutions in the corresponding NextCloud folders.

Theopractical Sheet #4 is also out now - you can submit your solutions until next Wednesday, 23:59 in the new JSON format.

A couple… Read more

Dear students,

I have just released the points for Practical Sheet #2 and Theopractical Sheet #3. You find the solutions in the corresponding NextCloud folders.

Theopractical Sheet #4 is also out now - you can submit your solutions until next Wednesday, 23:59 in the new JSON format.

A couple of notes / important points:

Exam Admission Criterion

Remember, in order to get admitted to the final exam, you need to score at least 60/100 points and have submitted at least 6 out of the 7 sheets.

The first 40 people have scored the needed 60 points and hence fulfill the first criterion. If you belong to this group, you still need to submit one additional sheet to get admitted. A sheet counts as submitted if you hand in a valid JSON file and a proof-of-work file. But you can decide to work on just one question and even if your answer is wrong, the sheet counts as submitted. I need to update the "Number of Submissions" counter manually, so please accept some days in delay.

Once you fulfill both criteria, the exam registration buttons will magically appear and you can register yourself for one or both exams. Please make sure to also register on LSF. As both Janine and I do not have LSF accounts, we cannot connect CMS and LSF, so please register on both systems if you plan to take the exam. 

Clearance Session

The clearance session for complaints about exercise sheet gradings will take place on July 17 between 13 and 14:15, so right before the last exercise session. You will need to register for this session on CMS. This session is only meant for students that have only little less than the 60 points and have a realistic chance to get admitted. If you are very far away or have already crossed the 60, this session is not for you.

"I have scored not enough points to get admitted to the exam, even if I score all points in the last two sheets. What should I do?"

First of all: That is not the end of the world. Please send me a mail. If applicable, explain special circumstances, for example, medical conditions. You might then be entitled to submit a bonus exercise.

With all other questions, consider the forum or the next exercise session on next Thursday.

Best regards,
Roman 

 

 

 

Theopractical Sheet #3: New Submission Format

Written on 12.06.25 (last change on 12.06.25) by Roman Wetenkamp

Dear all,

yesterday, a student of our course notified me that there is a security vulnerability in the CMS Online Test feature. As long as this vulnerability is not patched, we will adjust the modalities of exercise sheets slightly. You will need to submit your answers bundled in a single JSON file… Read more

Dear all,

yesterday, a student of our course notified me that there is a security vulnerability in the CMS Online Test feature. As long as this vulnerability is not patched, we will adjust the modalities of exercise sheets slightly. You will need to submit your answers bundled in a single JSON file as a regular CMS submission instead of the online test.

You find a PDF file with the exercises in the corresponding NextCloud folder in CMS. Additionally, there is a file template.json that you please use for your submission. Replace my name and my matriculation number with your own and fill the "question_x" values accordingly. The expected answer format is also described in the PDF Sheet.

For multiple choice questions, please submit a JSON Array with all answer options that you consider valid. 

Example:

How hot is it today in Saarbrücken?

[] I need a jacket, it's too cold

[] Above 30°C? Really?!

[] Just a normal day in Autumn

Expected Answer:

["Above 30°C? Really?!"]

If you consider multiple answers correct, it would accordingly be:

["Above 30°C? Really?!", "Just a normal day in Autumn"]

Make sure to use valid quotation marks. Having everything in a single JSON file should make it easier to validate your file.

If you face any problems or have questions regarding the format or the questions, please use the forum.

Lastly, please note that there is a bank holiday on next Thursday. The next exercise session takes place on June 26 in CISPA's lecture hall.

Enjoy the sun! ☀️

Best,
Roman

Important Notice Regarding the Exercise

Written on 02.06.25 by Janine Schneider

Dear all,

 

I'd like to address a few recurring points regarding the exercise and communication practices for this course.

  • The exercises are automatically graded, and due to the high number of participants, individual re-evaluation requests cannot be accommodated.

  • If your… Read more

Dear all,

 

I'd like to address a few recurring points regarding the exercise and communication practices for this course.

  • The exercises are automatically graded, and due to the high number of participants, individual re-evaluation requests cannot be accommodated.

  • If your submission was not graded due to an incorrect format, we regret to inform you that no adjustments can be made. It has been clearly and repeatedly communicated that submissions must strictly follow the required format in order to be processed by the automated system.

  • The current format and rules of the exercise remain unchanged. This course awards 6 ECTS, which is a substantial amount of credit. It is therefore entirely appropriate to expect active participation in the exercises without additional incentives such as exam bonus points. Completing the exercises is part of the expected workload and a core component of your learning.

  • Furthermore, please respect Roman’s request not to be contacted with individual emails about these topics. The exercise sessions are the appropriate place to raise questions so that they can be addressed in a way that benefits everyone.

While the majority of students have been respectful and engaged — and we truly appreciate that — it is important to be clear in this regard:
Emails concerning re-evaluation requests, exam bonus points, changes to the exercise format, or individual questions regarding the exercise sheets will be ignored from now on.

Thank you for your understanding and cooperation.

 

Best regards,

Janine

Practical Sheet #2, Points for Theopractical Sheet #2, and Announcements from Yesterday

Written on 31.05.25 by Roman Wetenkamp

Dear students,

here are a couple of announcements! :)

Practical Sheet #2

As you have seen, the practical sheet 2 started yesterday. You have time until June 11 to submit your proof-of-work file and your answers in the online test. Please read the forum on a regular basis, as there might be… Read more

Dear students,

here are a couple of announcements! :)

Practical Sheet #2

As you have seen, the practical sheet 2 started yesterday. You have time until June 11 to submit your proof-of-work file and your answers in the online test. Please read the forum on a regular basis, as there might be some clarifications on some exercises. Also feel free to post your questions there if you have some.

I would recommend to start early, as the complexity and image sizes are a bit higher compared to the previous exercises.

Theopractical Sheet #2

I have just released the feedback and the points for the theopractical sheet #2. There were a couple of problems in exercise 1, I will go over them next Thursday. I will release a sample solution with references for all devices in CMS soon.

Before you complain via mail for the grading there, please double-check the following:

  • Have you submitted valid JSON?
  • Have you submitted JSON that adheres to the specified format? -> "product-number" is not the same as "product_number".
  • Have you worked on the correct product? -> "Amazon Echo 1st Generation" is not the same as "Amazon Echo Dot" and "AVM FRITZ!Box 7490" is not the same as "AVM FRITZ!Box 7540".
  • Have you worked on the correct product version? -> Compare the FCC IDs if necessary.
  • Have you submitted valid product numbers? -> FBGA numbers are not necessarily also product numbers.

If you answer all these questions with yes and are very sure that you have another valid solution, please send me an email with a link to an online resource that supports your answer. In any other case, please do not send me mails about your individual points. Remember that we will have the clearing session in front of the exam. Thanks!

Exam Registration

The LSF registration for the final exam is already open (search for "IT-Forensik"). If you would like to take the exam, you have to register at least one week in advance of the exam.

You are admitted to the exam if you score at least 60/100 points in the exercise sheets and have submitted six proof-of-work files in total by the end of the lecture period. It is your own responsibility to de-register in advance if you do not score enough points for the exam admission. According to university regulations, taking an exam without admission can be considered fraud.

Exercise Session Room Change

The next exercise session on June 5 takes again place in E1.3, HS 003 and virtually via Teams. Happy to see you there!

Now please enjoy the rest of the weekend! Hope you are not unintentionally walking through the rain :D

Best regards,
Roman

 

Cellebrite Analysis

Written on 30.05.25 by Janine Schneider

Hi all,

 

here is the link to the Signal block article I mentioned today in the lecture:

https://signal.org/blog/cellebrite-vulnerabilities/

 

Best,

Janine

Note on Thesis and Hiwi Position Inquiries

Written on 15.05.25 by Janine Schneider

Dear all,

 

Thank you very much for your interest and for the many inquiries I’ve received recently. I truly appreciate the engagement — however, the volume has become too high for me to respond individually.

To clarify:

  • I am unfortunately not able to supervise theses, offer Hiwi… Read more

Dear all,

 

Thank you very much for your interest and for the many inquiries I’ve received recently. I truly appreciate the engagement — however, the volume has become too high for me to respond individually.

To clarify:

  • I am unfortunately not able to supervise theses, offer Hiwi (student assistant) positions, or take on project work (including guided projects, seminars, or similar), for students who are not enrolled at the University of Augsburg.

  • I also cannot speak on behalf of the chair of Christoph Sorge, handle inquiries intended for the chair, or refer you to other potential supervisors.

  • Please understand that I am also unable to forward such requests to other staff members or colleagues from CISPA.

  • Going forward, I will no longer be able to respond to messages regarding these matters.

Thank you for your understanding.

 

Best,

Janine

First Assignment, Exercise Session Room, and Tentative Exam Dates

Written on 02.05.25 (last change on 03.05.25) by Roman Wetenkamp

Dear students,

here are three news items I would like to announce:

First Practical Sheet

The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit… Read more

Dear students,

here are three news items I would like to announce:

First Practical Sheet

The first practical sheet has just been released. You have time until May 14, 23:59 (German time) to submit the online test and your proof of work file. We can only accept solutions if you submit both.

The scenario will be about rhinographic material - a safe replacement for child porn crimes, an important aspect of forensic work. I would recommend to use Autopsy for this practical sheet, but there are also other tools that you can use. You will also need to do some research in the internet and probably use some other tools in addition. While the GUI version of Autopsy is recommended, the web-UI version will likely suffice too. Please do not post partial solutions or questions containing solutions in the forum.

Clarification (May 3rd): 

The questions for the assignment are available in the online test that you find on your personal status page. You can open this test and edit your answers arbitrarily often without any other time limit than May 14. Additionally, I will upload a PDF print in CMS, but that is just for your convenience. Do not hesitate to open the test now to see what the questions look like.

 

Exercise Session Room

As mentioned last time, we will not have the CISPA lecture hall next week (May 8). Instead, we will have the lecture hall 003 in E1.3. Thanks to the one student pointing out to me that it is free. :) All dates and rooms in the timetable were updated. Make sure to load a new *.ics file if you added it to your own calendar.

 

Tentative Exam Dates

The final exam will likely take place on August 8, between 10 and 12. I am still missing the university's final confirmation, but I do not expect that to change. We will also offer a re-exam that will likely take place on September 24 in the afternoon. I will inform you once everything is fixed and the registration on CMS/LSF is open.

 

Have a great weekend and see you on Thursday!

Best regards,
Roman

How was Kidflix shut down?

Written on 11.04.25 by Janine Schneider

Dear all,

as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor… Read more

Dear all,

as someone asked this morning how Kidflix was shut down and how cryptocurrencies contributed to this, I wanted to briefly elaborate on the case here. In fact, the case is another good example of the importance of digital forensics and how such cases are handled. The platform used the Tor network and cryptocurrencies to remain supposedly anonymous. Investigators became aware of the platform through the so-called “Darknet Monitor”, which does exactly what the name suggests. Often the next step in such investigations is to infiltrate the platform to gather insider knowledge. In addition, similar to the Silk Road case, cryptocurrency transactions were analyzed to identify the perpetrators. A key institution involved in this case is the ZCB (Zentralstelle Cybercrime Bayern), a team of prosecutors and forensic experts who work exclusively on cybercrime cases. Together with institutions such as Europol, they were able to successfully combat this platform, which emphasizes the importance of international cooperation in such cases. Research has also contributed to this success as the Darknet Monitor, for example, was co-developed by Dutch researchers, as were cryptocurrency de-anonymization tools.

Best,

Janine

 

First Lecture on Friday

Written on 09.04.25 (last change on 10.04.25) by Roman Wetenkamp

Dear students,

a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course.

The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following… Read more

Dear students,

a very warm welcome to the IT Forensics lecture! We are amazed that more than 250 people are interested in our course.

The first lecture will take place this Friday from 10:15 to 11:45. As Dr. Schneider will not be in Saarbrücken during the semester, this and all following lectures will be given on Zoom.

You can also attend the lectures from lecture hall 001 in E1.3. This option is especially meant to all students that have adjacent lectures on campus and to those of you that do not have a good learning environment at home. Just come and join the Zoom session from there. As I will not be there every week (this Friday I will), please bring your own laptop. 

The tutorials will start next week, the exercises in May. I will give you information on both on Friday.

Looking forward to see you on Friday! Have a great semester start!

Best regards,

Roman

Show all

IT Forensics

Have you ever wondered how criminals are caught in the digital era?
What traces do all of us leave on IT systems while interacting with them?
What is the truth behind those CSI movies we all know?

This advanced lecture deals with finding and evaluating legal evidence in IT systems for criminal prosecution.

Contents

  • History, Types and Processes of IT Forensics
  • Digital Traces and their Classification
  • Persistent Memory (HDD, SSD, USB, Cloud, ...)
  • File Systems and their Analysis
  • Post-mortem vs. Live Analysis
  • Digital Investigations
  • Role of Technical Experts in Court
  • Relevant Laws and Jurisdiction

You will not only learn about these topics in theory, but also get some hands-on experience with forensic tools like Autopsy.

The lectures and tutorials will be taught in English.

 

Prerequisites

There are no formal prerequisites. We recommend a working knowledge of operating systems and system architectures.

 

Lectures

The lectures will be held online on Fridays from 10:15 to 11:45. The first lecture will take place on April 11, 2025.

Zoom Link

https://fau.zoom-x.de/j/61369523237

Meeting-ID: 613 6952 3237
Code: 757065

 

If you are on campus or would like to learn with others, you can join the sessions (on your own device) in lecture hall 001 in E1.3.
We will not record the lectures.

 

Tutorials

The weekly tutorials will be held on Thursdays from 14:15 to 15:45 mainly in the CISPA Lecture Hall (0.05), but on some days in other rooms. See the timetable for the up-to-date information. The first tutorial will take place on April 17, 2025. The tutorials will be in a hybrid format and recorded.

Teams Link:

Click here to join the Teams Meeting

Meeting-ID: 316 633 723 249
Code: VS9Wa77A

Some tutorials will contain practical exercises, for those you need to bring a laptop. Installation requirements will be announced in the first tutorial.

Attending the tutorials is optional, but highly recommended. You will not only get the chance to ask questions and solve exam-like exercises, but also get practical experience.

 

Examination

Format

The course concludes with a written final exam on campus that determines your final grade.

Main Exam:
August 8, 10:00-12:00 in GHH + E1.3 HS 002

Re-Exam:
September 24, 14:00-16:00 in GHH

 

Admission

Due to the high number of registrations, we needed to change the exercise sheet format. Sorry for the confusion!

Instead of usual written exercise sheets, we will have 7 sheets that you submit here on CMS.

  • Most of the questions require structured input (multiple choice, pasting hash values, CTF-style flags, ...). 
  • Those sheets need to be solved individually. You are not allowed to work in groups. Already formed groups were deleted.
  • We enforce a strict no-plagiarism and no-AI policy.
  • All of these sheets will be graded in a semi-automated way.

You need to submit at least 6 of the 7 sheets and score at least 60 points to be admitted to the final exam.

Practical Sheets

You will be given three forensic images. You will analyze each of the given images using the forensic tools we discuss in the tutorials. Afterwards, you will answer some questions about the case in an online CMS test.

  • You will have 12 days to solve each practical sheet.
  • You can see the questions with the start of the exercise period.
  • You can earn at most 20 points per sheet, resulting in a total of 60 points for the practical sheets.
Theopractical Sheets

Between the practical sheets, we will give out four exercise sheets containing smaller practical exercises and theory questions

  • You will have 6 days to solve each theopractical sheet online.
  • You can see the questions with the start of the exercise period.
  • You can earn at most 10 points per sheet, resulting in a total of 40 points for the theopractical sheets.

 

Contact

If you have a question, please consider the tutorials or the forum first. If you need to write a mail, please send it to Roman, you find his address on the Team page. Expect an answer within four days and please be patient. If forum posts are still unanswered after four days, please write a "ping" mail including a link to the thread to Roman. Thanks for your understanding!

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.