Module: Digital Forensics Techniques

(SSD ING-INF/05; 50 ore, 5 CFU)

Goals

The course provides the students with specific skills in the field of Digital Forensics Analysis and Investigation through an in-depth study of the systems and the best forensic investigation techniques. Such techniques can be employed to recover digital evidence as proof that can be produced during a legal trial.
The provided knowledge will give students a general vision of the aspects of Digital Forensics that, specifically, will concern topics of Computer Forensics Techniques, Mobile Forensics Analysis, Memory Forensics, and OSINT for Digital Forensics Intelligence. In particular, the aforementioned modules provide horizontal knowledge for modern operating systems and file-system to explore more data, network, and memory analysis techniques.
The proposed laboratories will be provided through an e-learning platform and will give the students practical skills that, together with the theoretical ones, will make them autonomous in the activities of Digital Forensics Analysis. In this context, more attention will be given to analysis techniques specific to Windows, Linux, and Android, thus allowing students to employ the techniques and tools available for the considered systems to maximize the probabilities of a successful forensic analysis.

Accordingly to the Dublin Descriptors, the goals of the course are the following:
Knowledge and understanding
- Having general knowledge of the methodological and technical aspects in the field of Digital Forensics;
- Having knowledge of the practical tools employed to carry out forensic analyses;
- Being able to properly use the various distributions of the system, in particular in the Unix/Linux setting.
Applying knowledge and understanding
At the end of the course, the students shall be able to perform the following:
- Being able to apply forensic investigation tools to a wide variety of devices, both Desktop/Laptop and Mobile (smartphones, tablets);
- Being able to exploit the different characteristics of the operating systems in relation to the type of forensic activities that the analyst wants to carry out;
- Being able to analyze memory images and documents;
- Being able to provide efficient reports according to clarity criteria, which are necessary to present evidence that is valid in the context of a trial.
Making judgments
At the end of the course, students will be able to perform the following:
- Being able to evaluate the forensic scenarios on which they operate and make a correct analysis for the activities that will follow;
- Being able to choose the necessary tools (Open Source or Commercial) to proceed with the extraction of digital evidence.
Communication skills
At the end of the course, students shall be able to illustrate and discuss the various phases of the forensics activities according to the proposed court cases.
Learning skills
The course will give the student the possibility to widen and acquire the use of new forensic tools through the reading of technical documentation and operating guides.

Required skills

The following prerequisites are necessary:
- Basic knowledge of the main distributions of Operating systems, with a particular focus on Unix/Linux, their commands, and processes;
- Knowledge of the structure of different file-system types contained in storage supports.

Subjects

The course is structured in modules, described as follows:

- MODULE 1 - INTRODUCTION (5 hours)

- MODULE 2 - COMPUTER FORENSICS TECHNIQUES (14 hours)
- General Computer Forensics concepts;
- Analysis and profiling of cases;
- Tools for forensics analysis (The Sleuth Kit);
- Preparation of environments for forensics analyses;
- Creation of a simulated test;
- Acquisition and basic analysis of legal evidence;
- Reporting activities and chain of custody;
- Case study and Labs.

- MODULO 3 – WINDOWS AND LINUX FORENSICS (9 ore)
- Afile system WIndows (NTFS) ed analisi artefatti (registro, pre-fetch, event manager);
- Analisi Powershell e codice di scripting;
- Analisi File System linux.

- MODULE 4 – LIVE MEMORY FORENSICS (9 hours)
- General aspects of the analysis of RAM in a device;
- Introduction to the forensic tool Volatility;
- Practical lab activities.

- MODULE 5 – MOBILE FORENSICS ANALYSIS (8 hours)
- General aspects of Mobile Forensics;
- Detailed aspects of Android and IOS systems;
- Techniques to analyze, verify, and extract data from mobile devices: smartphones, tablets (e.g., write blocking, device isolation, etc.);
- Data analysis with commercial and free software (Oxygen, Axiom, UFED).

- MODULE 6 - DOCUMENT FORENSICS (5 hours)
- Analysis of PDF and MS Office documents;
- Forensics of audio files;
- Practical lab activities.

Verification of learning

The assessment of learning will take place:
- Through the completion of a paper in which the student must detail a forensic analysis simulation, ideally conducted for a court, on one of the main topics covered during the course (forensics on mechanical disks/SSDs, forensics on mobile devices, forensics on RAM memories). The simulation revolves around some technical questions that the student must answer.
The paper is evaluated out of thirty, verifying:
a. The technical correctness of the answers given by the student (70% of the grade). 
b. The ability to correctly provide the reader with the basis for understanding the answers given (20% of the grade). 
c. The proper use of technical-forensic language (10% of the grade).
- Through a final oral exam in which the student demonstrates knowledge of the main forensic analysis techniques on digital devices and the ability to discuss them using appropriate terminology. The student must demonstrate judgment autonomy by identifying the advantages and disadvantages of the forensic techniques covered in the lessons and show adequate mastery of forensic language.

The exam is evaluated out of thirty, verifying:
a. The knowledge of the topics explained during the course functional to the completion of the project (40% of the final grade).
b. The ability to apply the acquired knowledge to the chosen project (30% of the final grade).
c. The autonomy of judgment regarding the forensic techniques to be employed (10% of the final grade).
d. The mastery of language in a technical-forensic context (20% of the final grade).
The final exam grade is the arithmetic mean between the two tests.

Module: Digital Forensics Law

(SSD IUS/20; 50 ore, 5 CFU)

Goals

According to the scope of the Master Course in Computer Engineering, Cybersecurity and Artificial Intelligence, the aim of the course “digital forensics” is that of equipping the student with the necessary knowledge to start a career in digital forensics
Knowledge and Understanding:
- the student will become aware of the existence of legal issues connected with information and communication technologies;
- the student becomes aware of the existence of the tial problems (civil and criminal) related to the new technologies.
Applying knowledge and Understanding: the the - student will be able to develop and use such technologies in a law-abiding manner;
- student will be able to understand legal aspects for the search, acquisition, storage, analysis and evaluation of digital evidence.
Making judgements: 
the student will develop the ability to legally evaluate computer evidence.
Communication skills:
the student will be able to interact with lawyers and legal experts in a qualified way.
Learning skills:
the student will be able to find from qualified sources and to interpret independently the current legislation applicable to its field of interest.

Required skills

There are no necessary prerequisites in terms of specialist knowledge.

Subjects

The course will be structured in three parts.
The first part is dedicated to the basic notions of computer law, with particular focus on computer crimes.
The second part is dedicated to the procedural aspects of the research, acquisition, conservation, analysis and evaluation of the digital evidences.
The third part is dedicated to privacy and personal data protection.

Verification of learning

The examination will consist of an oral assessment aimed at verifying the student’s acquisition of the knowledge outlined in the course objectives, with particular reference to the topics indicated in the “Subjects” section. The evaluation will take into account the student’s acquired knowledge, critical and methodological abilities, and competence in drawing interdisciplinary connections across the course syllabus. The oral examination is single and valid for both modules.

The purpose of the oral exam is to assess the student’s ability to apply their theoretical knowledge and to demonstrate appropriate logical-deductive reasoning skills.

Grading Criteria
By way of example only, the final grade will be awarded according to the following indicative criteria:
18–21: Sufficient or slightly above sufficient understanding of the topics covered; limited critical ability; difficulties in using technical-legal terminology.
22–25: Fair to good understanding of the topics; adequate critical ability; competent use of technical-legal terminology.
26–29: Good to very good understanding of the topics; good critical thinking skills; confident use of technical-legal terminology.
30–30L: Comprehensive knowledge of the topics; excellent critical ability; full command of technical-legal terminology.

(SSD ING-INF/04; 50 ore, 5 CFU)

Goals

In accordance with the teaching objectives of the Master’s Degree in Computer Engineering, Cybersecurity and Artificial Intelligence, the learning outcome of this course is to enable the student to obtain advanced competencies in relation to methods for the control and analysis of networked and multi-agent systems, also in relation to security challenges from a control-theoretic perspective, as detailed below.
Knowledge and understanding:
The student will understand formal models for the representation of networked and multi-agent dynamical systems through differential and difference equations, and the structural properties of such systems. The student will understand the most significant methods for analysis and distributed control, and their vulnerability to malfunctions or external attacks.
Applying knowledge and understanding:
The student will know how to define the structural properties of networked dynamical systems in connection with algebraic graph theory and the representation of networks through graphs. The student will be able to characterize the emerging behavior of networks of coupled dynamical systems, where the global or collective behavior is driven by simple and local interaction rules among their components.
Making judgements:
The student will be able to identify the advantages and disadvantages of networked control strategies, also in relation to their vulnerability to single component failures or attacks.
Communication:
The student will be able to clearly describe technical and scientific concepts related to networked and multi-agent dynamical systems.
Lifelong learning skills:
The student will learn how to combine knowledge from various sources, including recent scientific papers, in order to achieve a broader understanding of the issues related to the design and implementation of networked systems and their security challenges from a control-theoretic perspective.

Required skills

To follow the lectures with profit, the student is required to have obtained from previous courses the next knowledge, competencies and skills:
Elements of mathematical analysis, matrix algebra, geometry and physics. Multivariable integral and differential calculus. State space representation and analysis of dynamical systems. Elements of Matlab-Simulink programming.

Subjects

Introduction (2 hours frontal lectures)
Topics and objectives of the course.  Introduction to networked and multi-agent systems and motivating examples.

Introduction to algebraic graph theory (2 hours of frontal lectures)
Graphs as formal models for networks of dynamical systems. Definition of undirected and directed graphs and their properties. Classes of graph connectivity. Periodic and aperiodic graphs. The condensation graph and its properties. Weighted graphs. The adjacency matrix. Matlab for building and visualizing graphs. Random graphs. Proximity graphs.

Elements of non-negative matrix theory for dynamical systems (4 hours of frontal lectures, 2 hours of exercitation)
Definition and properties of non-negative matrices, stochastic matrices, irreducible matrices, primitive matrices, positive matrices. The Gershgorin disks theorem. The Perron-Frobenius theorem. Applications of the Perron-Frobenius theorem.

Discrete-time diffusion of information in networks and consensus (6 hours of frontal lectures, 2 hours of exercitation)
Social networks, multi-robot systems and sensor networks as examples of discrete-time averaging and consensus in networks of systems. Average Consensus algorithms and convergence results. Links between graph theory, matrix theory and dynamical systems and proofs of the results.Design of edge of weights: equal neighbors model and Metropolis Hasting weights. 

The Laplacian matrix and continuous-time consensus protocols (4 hours of frontal lectures, 2 hours of exercitation)
Definition of the Laplacian matrix. Structural properties. Examples on mechanical and electrical networks. Rank of the Laplacian matrix. Spectrum of the Laplacian matrix. Definition and meaning of algebraic connectivity, example on clustering problem.
The Laplacian flow dynamics. Examples of physical netoworks that evolve according to the Laplacian flow (mechanical/electrical networks). Second order Laplacian flows and their applications to multi-robot systems. Consensus theorems and convergence results.  

Coordination of multi-robot networks (8 hours of frontal lectures, 2 hours of exercitation)
Advanced Lyapunov stability analysis for nonlinear systems and invariant set theorems. Application scenarios of multi-robot systems. The rendezvous and leader following problem.
Introduction to coordination of mobile multi-robot system. The method of artificial edge potentials. Flocking and formation control. Design of artificial potentials for nonlinear rendevous, flocking, collision avoidance, connectivity maintenance. Convergence criteria.  Definition of rigid graphs, Infinitesimal rigidity, rigidity matrix and properties of its rank. Minimally rigid graphs and the Hanneberg sequence. Stability of rigid formations. 

Optimization and learning in networks of systems  (6 hours of frontal lectures, 2 hours of exercitation)
Fundamentals of convex optimization and distributed constrained and uncostrained optimization. Consensus based distributed optimization and ADMM methods.  Applications on supervised learning on networks.

Control over wireless networks and Secure data aggregation in network systems  (6 hours of frontal lectures, 2 hours of exercitation)
Motivating examples. General linear systems with packetdrops. Lyapunov theory for Mean Square Stability of Linear Systems with Packet Drops. Vulnerability to jamming or DoS cyber-phisical attacks. 
The bizantine generals problem. Majoritiy voting. Modeling Malicious agents. Calculating functions in the presence of malicious agents. Selection of recent results and open research  problems on security for networked systems: Secure consensus,  Resilient distribution optimization.

Verification of learning

The achievement of the learning objectives is verified by an oral examination in which the student shows understanding of the formal models of networked and multi-agent systems, their properties, and the methods for their analysis and control. The student will show autonomy in making judgments regarding the design choices presented in the course. The student will be able to communicate with the appropriate technical language. During the oral examination, the student chooses to discuss either the course assignments or a small project developed on the topics of the course and agreed upon with the lecturer.

The evaluation of the oral examination is quantified by a mark expressed in thirtieths.
The oral exam evaluates:
1- The knowledge of the topics covered in the course (40% of the final mark)
2- The application of the acquired knowledge (30% of the final mark)
3- The autonomy in making judgments regarding design choices (20% of the final mark)
4- The use of technical language (10% of the final mark)

(SSD ING-INF/05; 50 ore, 5 CFU)

Goals

Course Objectives
Understand X86-64, ARM, and MIPS architectures with a focus on disassembly, decompilation, and debugging.
Analyze malware for Windows/Linux/Android in controlled environments, identifying structure, behavior, and anti-analysis techniques.
Perform static and dynamic analysis of binaries and applications, with emphasis on PE and Android apps.
Produce comprehensive technical reports with Indicators of Compromise (IoCs) and defensive recommendations.

Intended Learning Outcomes (Dublin Descriptors)

A. Knowledge and Understanding

• ELF and PE internals: sections, import/export, entry point, relocations.
• Registers and instruction sets for X86-64, ARM, and MIPS.
• Static (disassembly, decompilation) and dynamic (debugging, tracing) analysis techniques.
• Malware structure and behavior (persistence, C2, packing, anti-debugging/anti-VM).
• APK/DEX structure and Android build pipeline (manifest, permissions, signing).

B. Applying Knowledge and Understanding

• Analyze binaries with Ghidra, IDA Free, radare2/Cutter.
• Debug with gdb, lldb, x64dbg.
• Conduct malware static and dynamic analysis in VMs/sandboxes, extract IoCs, and document results.
• Perform basic Android reversing (jadx, apktool, smali).

C. Making Judgments

• Select the most suitable analysis workflow (static/dynamic/hybrid).
• Evaluate evidence reliability and mitigation priorities.
• Recognize limits and risks (false leads, sandbox detection).

D. Communication Skills

• Produce clear technical reports (methodology, results, IoCs, impact, mitigations).
• Present findings concisely to a technical audience.

E. Learning Skills

• Stay current with tools and techniques.
• Adapt methods to new architectures and formats.

Required skills

Programming in C/C++ and Python.
Fundamentals of operating systems, networking, and computer architecture.
Familiarity with Linux and virtual machines (snapshots, NAT/host-only).

Subjects

Sequence: X86 → Malware Analysis → ARM → MIPS → Android

Module 1 – X86/64 Reverse Engineering (8h)
ELF internals, memory layout, registers, opcodes, function calls.
Disassembly & decompilation (Ghidra, IDA Free, radare2/Cutter).
Basic dynamic analysis (gdb, strace).
Lab: exercises on functions, stack frames, control flow.

Module 2 – Malware Analysis (18h)
Static analysis: PE format (sections, import/export, entry point, resources), packing/obfuscation indicators.
Dynamic analysis: safe lab setup (VMs, snapshots, isolated network), Procmon, Regshot, Wireshark.
Anti-analysis & persistence: anti-debugging/anti-VM techniques, persistence mechanisms and C2.
Labs: full analysis of didactic samples with reporting.

Module 3 – ARM Reverse Engineering (8h)
ARM architecture, registers, instructions, Thumb mode.
Cross-compilation, stack, function calls.
Lab: guided exercises.

Module 4 – MIPS Reverse Engineering (8h)
MIPS architecture, opcodes, branching, stack.
Cross-compilation and analysis toolchain.
Lab: guided exercises.

Module 5 – Android Reverse Engineering (8h)
APK/DEX structure, manifest, permissions.
Tools: jadx, apktool, baksmali/smali.
Basic dynamic analysis with Frida/objection.
Lab: reversing didactic apps, IoC collection and short report.

Verification of learning

• Full analysis of a didactic malware sample in a controlled environment, with submission of a detailed technical report.
• The report must include: static analysis (PE: sections, import/export, strings, entry point), dynamic analysis (behavior, persistence, network, filesystem), IoCs and defensive recommendations.
• Evaluation based on completeness, accuracy, and clarity of the report.