First cycle
degree courses
Second cycle
degree courses
Single cycle
degree courses
School of Engineering
ICT FOR INTERNET AND MULTIMEDIA
Course unit
DIGITAL FORENSICS
INP8084209, A.A. 2018/19

Information concerning the students who enrolled in A.Y. 2018/19

Information on the course unit
Degree course Second cycle degree in
ICT FOR INTERNET AND MULTIMEDIA
IN2371, Degree course structure A.Y. 2017/18, A.Y. 2018/19
N0
bring this page
with you
Degree course track CYBERSYSTEMS [002PD]
Number of ECTS credits allocated 6.0
Type of assessment Mark
Course unit English denomination DIGITAL FORENSICS
Department of reference Department of Information Engineering
E-Learning website https://elearning.dei.unipd.it/course/view.php?idnumber=2018-IN2371-002PD-2018-INP8084209-N0
Mandatory attendance No
Language of instruction English
Branch PADOVA
Single Course unit The Course unit can be attended under the option Single Course unit attendance
Optional Course unit The Course unit can be chosen as Optional Course unit

Lecturers
Teacher in charge SIMONE MILANI ING-INF/03
Other lecturers DEBORA PROVOLO IUS/17
SILVIA SIGNORATO IUS/16

Mutuated
Course unit code Course unit name Teacher in charge Degree course code
INP8084209 DIGITAL FORENSICS SIMONE MILANI IN2371
INP8084209 DIGITAL FORENSICS SIMONE MILANI IN2371
INP8084209 DIGITAL FORENSICS SIMONE MILANI IN2371

ECTS: details
Type Scientific-Disciplinary Sector Credits allocated
Educational activities in elective or integrative disciplines IUS/17 Criminal Law 2.0
Core courses ING-INF/03 Telecommunications 4.0

Course unit organization
Period First semester
Year 1st Year
Teaching method frontal

Type of hours Credits Teaching
hours
Hours of
Individual study
Shifts
Lecture 6.0 48 102.0 No turn

Calendar
Start of activities 01/10/2018
End of activities 18/01/2019

Examination board
Board From To Members of the board
1 A.A. 2018/2019 01/10/2018 15/03/2020 MILANI SIMONE (Presidente)
SIGNORATO SILVIA (Membro Effettivo)
BADIA LEONARDO (Supplente)
CALVAGNO GIANCARLO (Supplente)
CORVAJA ROBERTO (Supplente)
ERSEGHE TOMASO (Supplente)
LAURENTI NICOLA (Supplente)
PROVOLO DEBORA (Supplente)
ROSSI MICHELE (Supplente)
TOMASIN STEFANO (Supplente)
VANGELISTA LORENZO (Supplente)
ZANELLA ANDREA (Supplente)
ZANUTTIGH PIETRO (Supplente)
ZORZI MICHELE (Supplente)

Syllabus
Prerequisites: In order to attend the course, students must posses a basic knowledge in Calculus, Linear Algebra (including basic matrix operations, inversion and diagonalization), and Probability Theory (random variable, probability mass/density function and their properties).
Attendees will have the opportunity of testing their preliminary knowledge with an online test.
Basic knowledge of Matlab software is required.

Some preliminary knowledge on image processing, computation of local descriptors, supervised classification of data arrays can be useful (although not strictly necessary). Such topics are described in detail within the Computer Vision and Machine Learning courses.
Target skills and knowledge: The course is structured in order to provide students with both technical and theoretical knowledge about legal issues and analysis strategies concerning digital data.

In its various articulations the course is expected to provide the students with the following knowledge.
1. Main investigation strategies for digital forensics analysis.
2. Main mathematical models that rules physical phoenomena underlying the digital forensics investigations.
3. Knowledge of the main application scenarios in cross-disciplinary contexts.
4. Knowledge of legally-relevant procedural aspects
5. Knowledge of technical-legal terminology.

The following skills will be developed.
1. Ability in using the analysis strategies presented overviewed during the course.
2. Ability in engineering the main algorithms strategies presented in the course.
3. Capability of identifying the most appropriate strategy given a specific real case.
4. Ability in performing a digital investigation correctly according to the presented procedural aspects.
5. Capability of presenting a digital investigation using a correct technical-legal terminology.

Students will also have the opportunity to develop and use some forensic analysis strategies by means of lab sessions.
Examination methods: Final evaluation will be performed by means of a written exam and the development of a final project (to be document with a written report). Alternatively, the final project report can be replaced by two lab session reports on two lab experiences (chosen by the student).
Reports must be handed in at least one day before the final exam. The final score will be made of a weighted average of the evaluation of the written exam (70%) and the final project (30%).

The evaluation topics for the written exam will be clearly indicated during the course and in the course material.

The written exam consists in 4 problems (made of open and multiple-choice questions): three problems will be regarding forensic analysis strategies and one problem will be related to some legal issues analyzed during the course.
Assessment criteria: The final evaluation will be determined on the knowledge level of the students regarding the topics presented during the course and his/her ability to apply some analysis strategies.

Such topics will be clearly indicated during the course and in the course material.

Evaluation criteria will be:
1. Completeness of the acquired knowledge on the forensic analysis of digital data.
2. Completeness of the knowledge regarding normative and procedural aspects related to the role of forensics expert.
3. Ability to implement and use different digital forensics algorithms.
4. Property in the adopted technical-legal terminology.
4. Appropriateness and effectiveness in the identification of the most suitable digital investigation strategies with respect to the considered application scenarios.
5. Programming abilities.
7. Quality of oral exposure.

Every efforts on the student part revealing personal involvement and special care will be recognized in terms of scores.
Course unit contents: Introduction to digital forensics. Data processing in legal issues.

a.1) Disk forensics.
a.1.1. Introduction, identification of evidences, data seizure and acquisition, authentication, processing and analysis, documenting the results. Maintaining the "Chain of Evidence".
a.1.2. Disk encryption, data encryption cracking, malicious use of encryption (ransomware).

a.2) Network forensics.
a.2.1. Data transmission protocols and web servers.
a.2.2. Data tapping strategies: eavesdropping by sniffing, router information processing, server logs analysis, wireless traffic collection and processing, eavesdropping by malware.
a.2.3. Intrusion detection.
a.2.4. Identity theft and phishing.
a.2.5. Anti-forensics strategies: encryption and obfuscation. The TOR protocol.

a.3) Multimedia forensics.
a.3.1. The acquisition of multimedia data. Digital camera and microphone models.
a.3.2. Image/Video source authentication from noise (PRNU) or firmware identification (CFA interpolation, compression strategies).
a.3.3. Multimedia data embedding: steganography and steganalysis, watermarking.
a.3.4. Image/Video tampering strategies. Advanced solutions for tampering detection: pixel-based, format-based, camera-based, physically-based, geometric-based.
a.3.5. Real cases examples.
a.3.6. Audio source authentication. Audio tampering and its detection.
a.3.7. Biometric traits. Facial recognition, voice identification, fingerprint analysis and matching. Image/video/audio quality enhancement for forensic investigation.

a.4) Social network forensics.
a.4.1. Data sharing and diffusion on social networks.
a.4.2. Social network data pool: social footprint, communication pattern, images and videos, activity, applications.
a.4.3. Strategies for user identification, localization (space and time), and profiling.


b.1) Cybercrimes
b.1.1. Fundamentals of criminal law: constitutional principles; definition of crime; essential elements of crime.
b.1.2. Sources of international and supranational law on the prevention and repression of cybercrime. The transnational character of cybercrime.
b.1.3. Definition of cybercrime; distinction between cybercrime in a narrow sense (computer crime) and cybercrime in a broader sense (computer-related crime).
b.1.4. Analysis of some types of cybercrimes, in particular: unauthorized access to computer or telecommunications systems; illicit possession and diffusion of access codes; illegal interception, interruption or hindrance of computer or telecommunications systems; damages to computer systems and data; phishing; computer-related fraud; theft or unlawful use of a digital identity; computer privacy violations; computer crimes of copyright infringement; cryptolocker ransomware; cyberbullying; cyberterrorism.
b.1.5. The criminal use of social media.
b.1.6. Peculiar problems concerning the criminal responsibility of the ISP.


b.2) Criminal Investigations
b.2.1. Features of digital investigations. Immateriality, transnationality, cooperation.
b.2.2. Types of digital investigations. Pretrial, reactive and proactive investigations.
b.2.3. Means for obtaining evidence. Inspections, searches, seizures, interceptions of conversations or communications.
b.2.4. Clone copy. Beat stream image.
b.2.5. The role of the digital forensics expert and the right of defence.
Planned learning activities and teaching methods: The course rationale can be divided into two main parts:
a) Digital forensics strategies;
b) Legal significance of digital data: uses, presentation and preservation.

The first part consists in 4 modules.
a.1 Disk forensics;
a.2 Network forensics;
a.3 Multimedia forensic analysis;
a.4 Social network forensics.

The second part is divided in two modules:
b.1 Cybercrimes.
b.2 Criminal Investigations.

Within this course, teaching activities and methodologies consists in:

Part a). Digital forensics strategies
Frontal lectures where course topics are presented by means of digital slides (powerpoint) and blackboard notes. Such topics will be also clarified with practical examples of digital processing using MATLAB.
Lectures are alternated with lab sessions where every student will have the opportunity of applying and testing some investigation procedures. Within the course, 4 lab sessions are going to be scheduled.

Part b). Legal significance of digital data: uses, presentation and preservation.
Frontal lectures where course topics are presented by means of digital slides (powerpoint) and blackboard notes.
Additional notes about suggested reading: The study material is given by the class-notes made available before every class meeting.
The notes distill and condense various research papers and content coming from several textbooks.

The frontal teaching activities involve the use of transparencies, blackboard skecthes, as well as example programs to be tested at home. All the teaching material presented during the lectures is made available on the platform "http://elearning.dei.unipd.it". Students will be provided with a MATLAB license by the University of Padova for lab exercise and programming.
Textbooks (and optional supplementary readings)
  • Klette, Reinhard, Concise Computer Vision. Springer London: --, 2014. Cerca nel catalogo
  • Bishop, Christopher M., Pattern recognition and machine learning. New York: Springer, --. Cerca nel catalogo
  • Watt, Jeremy; Borhani, Reza, Machine learning refinedrisorsa elettronicafoundations, algorithms, and applicationsJeremy Watt, Reza Borhani, Aggelos Katsaggelos. New York: Cambridge University Press, 2016. Cerca nel catalogo

Innovative teaching methods: Teaching and learning strategies
  • Lecturing
  • Laboratory
  • Case study
  • Use of online videos
  • Loading of files and pages (web pages, Moodle, ...)

Innovative teaching methods: Software or applications used
  • Moodle (files, quizzes, workshops, ...)
  • Latex
  • Matlab

Sustainable Development Goals (SDGs)
Quality Education Industry, Innovation and Infrastructure Peace, Justice and Strong Institutions