Data Forensics II — Florida Course Repo

Course Description

CET2881C – Data Forensics II is a combined lecture and laboratory course in the Computer Engineering Technology program. Building on the foundations established in Data Forensics I (CET2785C or equivalent), this course advances students into intermediate and advanced digital forensics techniques. Students develop hands-on skills in the acquisition, preservation, analysis, and reporting of digital evidence from a broader range of sources including network traffic, mobile devices, cloud environments, and memory. Emphasis is placed on forensic tool proficiency, chain-of-custody documentation, and preparing findings for legal proceedings. This course aligns with industry certification objectives including CompTIA CySA+, AccessData Certified Examiner (ACE), and EnCase Certified Examiner (EnCE).

Learning Outcomes

Required Outcomes

Upon successful completion of this course, students will be able to:

Apply advanced forensic acquisition techniques to preserve digital evidence from multiple source types while maintaining chain of custody.
Conduct network forensics by capturing, filtering, and analyzing packet data to identify intrusions, data exfiltration, and malicious activity.
Perform memory (RAM) forensics to extract volatile data including running processes, open network connections, and encryption keys.
Analyze file systems, registry artifacts, log files, and metadata to reconstruct user activity and timelines.
Produce professional-grade forensic investigation reports suitable for legal and organizational purposes.
Demonstrate proper use of industry-standard forensic tools such as Autopsy, FTK (Forensic Toolkit), Wireshark, and Volatility.
Apply relevant federal and Florida state laws governing digital evidence, privacy, and authorized access (e.g., Florida Computer Crimes Act, CFAA).

Optional Outcomes

Institutions may also include the following outcomes based on program emphasis:

Perform mobile device forensics on Android and iOS platforms using tools such as Cellebrite UFED or Oxygen Forensic Detective.
Investigate artifacts within cloud storage environments (e.g., Google Drive, OneDrive, Dropbox) and web-based services.
Apply anti-forensics detection techniques to identify evidence tampering, steganography, encryption, and data wiping.
Conduct forensic analysis of email headers, browser history, and social media artifacts.
Demonstrate expert witness preparation skills, including courtroom testimony best practices.

Major Topics

Required Topics

Review of Forensic Fundamentals: Chain of custody, write-blocking, forensic imaging, hashing (MD5/SHA), and evidence integrity.
Advanced Disk and File System Analysis: NTFS, FAT32, ext4 artifact analysis; deleted file recovery; slack space and unallocated space examination.
Windows Registry and Log Forensics: Registry hive analysis, event log review, prefetch and shellbag artifacts.
Network Forensics: Packet capture with Wireshark; TCP/IP protocol analysis; identifying network intrusions and lateral movement.
Memory (Volatile) Forensics: RAM acquisition techniques; analysis with Volatility framework; process, DLL, and network artifact extraction.
Malware Forensics Fundamentals: Identifying indicators of compromise (IOCs); static and behavioral artifact analysis on compromised systems.
Forensic Reporting and Documentation: Technical report writing; evidence presentation standards; legal admissibility requirements.
Legal and Ethical Frameworks: Fourth Amendment considerations, search and seizure law, Florida Computer Crimes Act, computer fraud statutes, and professional ethics.

Optional Topics

Mobile Device Forensics: Logical and physical acquisition of Android/iOS devices; app artifact analysis; GPS and communication records.
Cloud and SaaS Forensics: Investigating cloud storage artifacts, metadata, and access logs; legal considerations for third-party data.
Email and Web Browser Forensics: Header analysis, cache, cookies, browsing history, and webmail artifacts.
Anti-Forensics Techniques and Detection: Steganography, data wiping tools (e.g., CCleaner), encryption, and timestomping.
Virtualization and Container Forensics: Forensic analysis of VMware/VirtualBox disk images and snapshots.
Incident Response Integration: Connecting forensic findings to incident response frameworks (NIST SP 800-61).

Resources & Tools

Autopsy / The Sleuth Kit – Open-source digital forensics platform for disk and file analysis.
FTK (Forensic Toolkit) & FTK Imager – Industry-standard evidence acquisition and analysis suite by AccessData/Exterro.
Wireshark – Open-source network protocol analyzer for packet capture and analysis.
Volatility Framework – Advanced open-source memory forensics framework.
Cellebrite UFED / UFED Physical Analyzer – Mobile device data extraction (optional lab use).
Kali Linux / SIFT Workstation – Forensic and security-focused Linux distributions commonly used in lab environments.
NIST Computer Forensics Tool Testing (CFTT) Guidelines – Federal standards for forensic tool validation.
SANS Digital Forensics & Incident Response (DFIR) Reading Room – Free whitepapers and case studies for supplemental learning.

Career Pathways

Graduates with skills from this course are prepared to pursue entry-level to mid-level roles in the following fields:

Digital Forensics Analyst / Examiner – Law enforcement agencies, private sector, and government contractors.
Cybersecurity Analyst – SOC teams focused on incident investigation and threat hunting.
Incident Response Specialist – Responding to and investigating data breaches and cyber incidents.
eDiscovery Technician – Supporting legal proceedings involving electronically stored information (ESI).
Information Security Investigator – Corporate or insurance-based internal investigations.

This course also supports progression toward the A.S. in Computer Engineering Technology or related cybersecurity degree programs at Florida state colleges.

Special Information

Certification Preparation

The topics covered in this course align with objectives for the following industry certifications:

CompTIA CySA+ (CS0-003) – Threat and vulnerability management, incident response, and forensic investigation.
AccessData Certified Examiner (ACE) – Proficiency in FTK and forensic methodology.
EnCase Certified Examiner (EnCE) – Advanced digital investigation and EnCase tool proficiency.
GIAC Certified Forensic Analyst (GCFA) – Advanced forensic analysis and incident response.

Lab Component

The "C" lab indicator in the course ID (CET2881C) signifies that this is a combined lecture and laboratory course. Students are expected to complete hands-on forensic exercises in a controlled lab environment using forensic workstations, write-blockers, and forensically sound evidence images. Lab work constitutes a significant portion of the course grade and skill assessment.