Data Forensics I

Course Description

CET2880C — Data Forensics I is a 3-credit, lab-enhanced course in the Computer Engineering Technology taxonomy that introduces students to the principles, tools, and techniques of digital forensic investigation. The course focuses on the use of the most popular forensics tools and provides specific guidance on dealing with civil and criminal matters relating to law and technology. Students will learn the setup and use of an investigator's laboratory, how to perform data acquisition, web forensics, email forensics, mobile forensics, network analysis, and file recovery. The course covers tools and techniques explaining topics such as file structure, data recovery, e-mail and network investigations, and expert witness testimony, and includes discussion of how to manage a digital forensics operation in today's business environment.

This course is offered at multiple Florida state colleges including Miami Dade College (MDC), Valencia College, Northwest Florida State College (NWFSC), and Tallahassee State College (TSC), and is a core component of Digital Forensics Technical Certificate programs.

Learning Outcomes

Required Learning Outcomes

Upon successful completion of this course, students will be able to:

• Explain the concepts, history, and professional standards of computer/digital forensics and investigations.
• Describe the digital forensics investigation process, including proper evidence handling procedures from collection through presentation.
• Set up and manage a forensic investigator's laboratory, including hardware and software requirements.
• Perform data acquisition using forensically sound methods, including bit-stream imaging and write-blocking techniques.
• Process and analyze crime and incident scenes while maintaining chain of custody.
• Explain digital evidence controls, security, evaluation, cataloging, and storage principles.
• Identify and use current digital forensics software tools (e.g., FTK, Autopsy, EnCase) to examine file systems and recover data.
• Analyze Windows and command-line (CLI) operating system artifacts for forensic evidence.
• Recover deleted or damaged files, including graphics file recovery.
• Conduct email investigations and analyze email headers, logs, and metadata.
• Produce professional forensic investigation reports suitable for legal proceedings.
• Identify ethical responsibilities of a digital forensics investigator and expert witness.

Optional Learning Outcomes

The following outcomes may be addressed depending on institutional emphasis and course section:

• Perform mobile device forensics, including acquisition and analysis of smartphones and tablets.
• Apply forensic analysis techniques to Linux and macOS file systems.
• Conduct network forensics and analyze logs, packet captures, and network traffic.
• Perform live acquisition and virtual machine forensics.
• Investigate social media artifacts and web browser history for forensic evidence.
• Demonstrate knowledge of cloud forensics concepts and challenges.
• Provide expert witness testimony in a simulated or moot court setting.

Major Topics

Required Topics

The following content areas are consistently covered across Florida college offerings of CET2880C:

• The Digital Forensics Profession — History, scope, career roles, and legal authority of digital forensics investigators
• The Investigator's Office and Laboratory — Lab setup, hardware/software requirements, lab certification standards
• Data Acquisition — Bit-stream imaging, write blockers, acquisition methods, data recovery fundamentals
• Processing Crime and Incident Scenes — Evidence identification, collection, preservation, and chain of custody
• Digital Evidence Controls — Evidence security, evaluation, cataloging, and storage procedures
• Working with Windows and CLI Systems — Registry analysis, file system structures (FAT, NTFS), and artifact examination
• Current Digital Forensics Tools — Hands-on use of industry-standard tools (e.g., Autopsy, FTK Imager, EnCase)
• File Recovery and Validation — Recovering deleted files, hash validation, digital forensics analysis and validation
• Email Investigations — Header analysis, mail server logs, tracing email origins
• Investigation Report Writing — Structure, content, and professional standards for high-tech investigation reports
• Ethics and Legal Standards — Investigator ethics, applicable laws (e.g., Computer Fraud and Abuse Act, Fourth Amendment considerations), and expert witness conduct

Optional Topics

The following topics may be included depending on the instructor and program track:

• Linux and macOS File System Forensics — ext4, HFS+, APFS file system structures and forensic examination
• Recovering Graphics Files — File carving, metadata extraction, and image analysis
• Virtual Machine Forensics and Live Acquisitions — Acquiring evidence from running systems and virtualized environments
• Network Forensics — Packet analysis, intrusion logs, and network-based evidence
• Mobile Device Forensics — iOS and Android acquisition, app artifact analysis
• Social Media and Web Forensics — Browser artifacts, cached data, social platform evidence
• Cloud Forensics — Challenges and methodologies for investigating cloud-hosted data
• Expert Witness Testimony — Courtroom preparation, Daubert standards, and presentation of technical findings to lay audiences

Resources & Tools

The following textbook and platforms are commonly used in Florida college offerings of CET2880C:

• Textbook: Nelson, Phillips & Steuart — Guide to Computer Forensics and Investigations, 6th Edition, Cengage Learning (ISBN-13: 978-1-337-56894-4)
• Lab Platform: MindTap by Cengage Learning — online labs and assessments
• Forensic Tools: Autopsy (open source), FTK Imager (AccessData), EnCase (OpenText), Wireshark, Volatility
• Operating Environments: Windows 10/11 forensic workstation, SIFT Workstation (SANS), Kali Linux (optional)
• Write Blockers: Hardware and software write-blocking tools for forensically sound acquisition

Career Pathways

Successful completion of CET2880C provides a foundation for careers in digital investigation, cybersecurity, and law enforcement technology roles. Graduates and students in this track are regularly employed by government agencies, law enforcement, financial institutions, healthcare organizations, and private-sector employers.

• Digital Forensics Analyst / Examiner
• Cybercrime Investigator
• Incident Response Analyst
• IT Security Specialist
• e-Discovery Technician
• Law Enforcement Digital Evidence Technician

This course is a core requirement in the Digital Forensics Technical Certificate (T.C.) at FSCJ, Valencia College, and other Florida state colleges, and may articulate into Associate in Science (A.S.) programs in IT Security or Computer Engineering Technology.

Special Information

Certification Preparation

The content and skills covered in CET2880C align with and help prepare students for the following industry certifications:

• CompTIA CySA+ (Cybersecurity Analyst) — evidence handling, incident response
• AccessData Certified Examiner (ACE) — FTK tool proficiency
• EnCase Certified Examiner (EnCE) — EnCase tool proficiency
• GIAC Certified Forensic Analyst (GCFA) — SANS Institute digital forensics credential
• Certified Computer Examiner (CCE) — ISFCE vendor-neutral forensics certification

Note: Certification exams are not included in the course fee; students must register and pay independently with the respective certification body.

Lab Component

The "C" suffix in CET2880C designates a combined lecture/laboratory course. Students are expected to complete hands-on lab exercises each week using forensic tools in a controlled environment. Lab work typically accounts for a significant portion (up to 50%) of the course grade, reflecting the applied, skills-based nature of the curriculum.