Identifying Data 2020/21
Subject (*) Forensic Analysis of Devices Code 614530012
Study programme
Máster Universitario en Ciberseguridade
Descriptors Cycle Period Year Type Credits
Official Master's Degree 2nd four-month period
 First Optional 3
Language
Spanish
Galician
Teaching method Face-to-face
Prerequisites
Department Ciencias da Computación e Tecnoloxías da Información
Computación
Coordinador
E-mail
Lecturers
Vázquez Naya, José Manuel
 E-mail
jose.manuel.vazquez.naya@udc.es
Web http://faitic.uvigo.es
General description A análise forense de equipos consiste na aplicación de técnicas científicas e analíticas para identificar, preservar, analizar e presentar datos que sexan válidos dentro dun proceso legal.

A materia "Análise Forense de Equipos" ten unha forte compoñente práctica. Comezarase con unha introdución a este campo, explicando conceptos clave. A continuación, estudiaranse fundamentos e metodoloxías de análise forense dende un punto de vista xenérico e aplicable a novos casos, pero tamén se estudiarán exemplos concretos baseados en casos reais.

Nas prácticas de laboratorio, o/a alumno/a aprenderá a manexar diferentes ferramentas de análise forense e realizará prácticas simulando problemas reais.
Contingency plan Plan de continxencia A: confinamento total ou parcial de estudantes e/ou profesores

1. Modificacións nos contidos
- Non se realizarán cambios


2. Metodoloxías
*Metodoloxías docentes que se manteñen
- Mantéñense as metodoloxías docentes, coa excepción de que en lugar de realizarse de maneira presencial na aula, realizaranse coa axuda de ferramentas TIC, como se explica a continuación.

*Metodoloxías docentes que se modifican
- Sesión maxistral: impartirase a través de videoconferencia.
- Prácticas de laboratorio: Tanto a docencia, coma a defensa das prácticas, cando proceda, realizaranse a través de videoconferencia.
- Proba obxectiva: realizarase a través de Moodle (faitic), en combinación con videoconferencia.
- Exame de prácticas (segunda oportunidade e convocatoria extraordinaria): realizarase a través de videoconferencia.


3. Mecanismos de atención personalizada ao alumnado
- Correo electrónico: Diariamente. De uso para facer consultas, e solicitar encontros virtuais para resolver dúbidas.
- Moodle (faitic): Diariamente. Segundo a necesidade do alumnado.
- Teams/Campusremoto: Durante as horas programadas de teoría e práctica. Tamén baixo demanda, para resolución de dúbidas.


4. Modificacións na avaliación
- Non se realizarán cambios

*Observacións de avaliación:
Mantéñense as mesmas que figuran na guía docente. A maiores:

- No caso de que non poidan realizarse presencialmente, levaranse a cabo segundo o indicado no apartado de "Metodoloxías".

- Se por algún motivo xustificado o alumno non puidese realizar o exame final (proba obxectiva) no momento establecido, o exame pasará a realizarse a maior brevidade posible, pasando a ser unha proba oral por videoconferencia.


5. Modificacións da bibliografía ou webgrafía
Ningunha.



Plan de continxencia B: número de estudantes exceda o aforo da aula

1. Modificacións nos contidos
- Non se realizarán cambios


2. Metodoloxías
*Metodoloxías docentes que se manteñen
- Mantéñense as metodoloxías docentes, coa excepción de que ademais de realizarse de maneira presencial, realizaranse coa axuda de ferramentas TIC, como se explica a continuación

*Metodoloxías docentes que se modifican
- Sesión maxistral: estableceranse dous grupos, que asistirán presencialmente semanas alternas. Empregarase videoconferencia, para que poidan acceder ás sesións os alumnos do grupo ao que non lle toca asistir presencialmente.
- Prácticas de laboratorio: estableceranse dous grupos, que asistirán presencialmente semanas alternas. Empregarase videoconferencia, para que poidan acceder ás sesións os alumnos do grupo ao que non lle toca asistir presencialmente. Estableceranse quendas para a defensa das prácticas, cando proceda.
- Proba obxectiva: buscarase unha aula alternativa, con aforo suficiente.
- Exame de prácticas (segunda oportunidade e convocatoria extraordinaria): estableceranse quendas para a súa realización.


3. Mecanismos de atención personalizada ao alumnado
- Correo electrónico: Diariamente. De uso para facer consultas, e solicitar encontros virtuais para resolver dúbidas.
- Moodle (faitic): Diariamente. Segundo a necesidade do alumnado.
- Teams/Campusremoto: Durante as horas programadas de teoría e práctica. Tamén baixo demanda, para resolución de dúbidas.


4. Modificacións na avaliación
- Non se realizarán cambios

*Observacións de avaliación:
Mantéñense as mesmas que figuran na guía docente. A maiores:

- No caso de que non poidan realizarse presencialmente, levaranse a cabo segundo o indicado no apartado de "Metodoloxías".

- Se por algún motivo xustificado o alumno non puidese realizar o exame final (proba obxectiva) no momento establecido, o exame pasará a realizarse a maior brevidade posible, pasando a ser unha proba oral por videoconferencia.


5. Modificacións da bibliografía ou webgrafía
Ningunha.

Study programme competencies
Code Study programme competences
A6 CE6 - To develop and apply forensic research techniques for analysing incidents or cybersecurity threats
B1 CB1 - To possess and understand the knowledge that provides the foundations and the opportunity to be original in the development and application of ideas, frequently in a research context
B2 CB2 - Students will be able to apply their knowledge and their problem-solving ability in new or less familiar situations, within a broader context (or in multi-discipline contexts) related to their field of specialization
B3 CB3 - Students will be able to integrate diverse knowledge areas, and address the complexity of making statements on the basis of information which, notwithstanding incomplete or limited, may include thoughts about the ethical and social responsibilities entailed to the application of their professional capabilities and judgements
B7 CG2 - Ability for problem-solving. Ability to solve, using the acquired knowledge, specific problems in the technical field of information, network or system security
C4 CT4 - Ability to ponder the importance of information security in the economic progress of society

Learning aims
Learning outcomes Study programme competences
Knowledge of the appropriate methodologies for carrying out forensic work with legal validity AJ6
 BJ1
 CJ4
Ability to perform forensic analysis of the different elements that constitute an information system, on multiple platforms and operating systems AJ6
 BJ2
BJ7
 CJ4
Ability to generate reports as a result of forensic analysis that are clear, concise and intelligible to both experts and outsiders in the field of computer security AJ6
 BJ3
BJ7
 CJ4

Contents
Topic Sub-topic
1. Forensic Analysis Fundamentals Introduction
Fundamentals
Normative
Cloning
2. Windows Forensic Analysis Artifacts
Memory
Tools
Advanced Forensic Analysis
3. Mac OS Forensic Analysis Artifacts
Memory
Tools
Advanced Forensic Analysis
4. Mobile Devices Forensic Analysis (Android) Artifacts
Tools
Advanced Forensic Analysis
5. Mobile Devices Forensic Analysis (iOS) Artifacts
Tools
Advanced Forensic Analysis

Planning
Methodologies / tests Competencies Ordinary class hours Student’s personal work hours Total hours
Guest lecture / keynote speech A6 C4 11 22 33
Laboratory practice A6 B1 B2 B3 B7 C4 10 20 30
Objective test A6 B1 B2 B3 B7 C4 2 0 2
 
Personalized attention 10 0 10
 
(*)The information in the planning table is for guidance only and does not take into account the heterogeneity of the students.

Methodologies
Methodologies Description
Guest lecture / keynote speech Expositive classes for the presentation of the theoretical knowledge of each one of the subjects. The participation of students will be encouraged.
Laboratory practice Practical sessions in computer, in which a series of practical exercises bulletins proposed by the professor must be solved. The exercises seek to consolidate the knowledge presented in the lectures and also encourage the student's autonomous learning.
Once the exercise bulletin is completed, the teacher will evaluate the work done by the student through a computer session.
The exercise bulletins will be published through the Master's training platform. A maximum defense date will be imposed for each newsletter, with the aim of encouraging continuous study.
Objective test Written test through which the knowledge and skills acquired by the student will be assessed.

Personalized attention
Methodologies
Laboratory practice
Description
Resolution of doubts

Assessment
Methodologies Competencies Description Qualification
Laboratory practice A6 B1 B2 B3 B7 C4 Several practices will be proposed throughout the course, related to the forensic analysis of equipment, in which the student will work with different tools and must perform cloning processes, information retrieval, report writing, etc. The practices will be of an individual nature. In the statement of each practice will be specified the deadline for completion of it, as well as the methodology of evaluation, which may be through the delivery of a report, a computer test, or both. 60
Objective test A6 B1 B2 B3 B7 C4 Final exam, test type, through which the knowledge and abilities acquired by the student will be evaluated, both in the theory sessions and in the practical sessions. 40
 
Assessment comments

1. FIRST CALL

Throughout the course, a series of "laboratory practices" will be carried out, with the characteristics and weight indicated in the table above.

At the end of the course, an "objective test" will be carried out, with the characteristics and weight indicated in the table above.

2. SECOND CALL

An "objective test" shall be carried out, with the characteristics and weight indicated in the table above.

With respect to the "laboratory practices", the student may keep the grade obtained at the first opportunity. If the student has not presented the practices at the first opportunity, he/she will have to take a practice test. 

3. EXTRAORDINARY SESSION

An "objective test" shall be carried out, with the characteristics and weight indicated in the table above.

With respect to the "laboratory practices", the student may keep the grade obtained at the first opportunity (if applicable). In case of not having presented the practices at the first opportunity, a practice test must be submitted. 

4. PLAGIARISM

If plagiarism is detected in any of the evaluation tests, the final grade of the subject will be "failed (0)", a fact that will be communicated to the master’s coordination in order to take the appropriate measures.

5. CONDITION OF "NOT-TAKEN" 

Students who do not take the objective test will be considered as "not-taken".

Sources of information
Basic

All the necessary documentation will be available through Moodle (faitic).

Complementary


Recommendations
Subjects that it is recommended to have taken before

Subjects that are recommended to be taken simultaneously

Subjects that continue the syllabus

Other comments


(*)The teaching guide is the document in which the URV publishes the information about all its courses. It is a public document and cannot be modified. Only in exceptional cases can it be revised by the competent agent or duly revised so that it is in line with current legislation.