Cybercrime is one of the most significant, and by far the most prevalent threat to digital infrastructure. In this course we will analyze the main mechanism, characteristics and drivers of cybercrime (including its underground economy). We will then analyze the techniques for forensic analysis of digital devices (with a specific attention to the Italian legal context and two dedicated case studies, but with a general overview of methodologies applicable internationally). Network forensics and cloud forensics will also be introduced. Finally, since most cybercriminals try to directly monetize their attacks, attention will be devoted to fraud detection technologies, and to technologies for tracking movement of digital currencies and cryptocurrencies.

After passing the exam, the students will know the basics of underground economy, and the different dynamics and modus operandi of cybercriminals. They will also know the basic procedures and requirements of forensic analysis, both in a general and abstract way and in the particular case of the Italian legal framework. They will know the techniques to properly preserve and analyze digital evidence of various types and from various sources. They will understand the basics of antiforensic techniques.

They will be able to use forensic tools to acquire sources and analyze simple disk images.

1. Cybercrime
   1. General landscape and modus operandi of cyber criminals
   2. The underground economy and crime-as-a-service
   3. Financially-motivated malware
   4. Tracking cryptocurrency transactions in malware investigations
2. Fraud detection and analysis
   1. Fraud: definitions, typical examples
   2. Detecting frauds: operational measures
   3. Machine learning techniques for fraud detection and analysis
   4. Case studies
3. Digital forensics principles
   1. Forensic science: repeatability, falsifiability; Daubert test; Italian legal framework
   2. Digital Forensics phases
4. Source acquisition
   1. Digital crime scene preservation principles
   2. Acquisition of digital media
   3. Acquisitions from network systems and from the cloud
   4. Acquisition of mobile devices
   5. Peculiarities and special cases
5. Forensic analysis of mass storage
   1. Disk geometry, file systems, metadata
   2. Deleted files recovery (including carving and slack space)
   3. Repeatability of analysis and integrity preservation
   4. Forensic tool examples (with practical demonstrations)
   5. Anti-forensic techniques
6. Digital investigations: evaluation of evidence and presentation
   1. Methodical doubts
   2. Analysis of common mistakes
   3. Aspetti di etica professionale

A small set (8 hrs) of optional classes in Italian will be dedicated to Italian legal principles to be applied in forensics: repeatability standards and the way analysis is performed in Italian courts, along with 2 case studies of Italian legal proceedings. 

Students should have attended a basic security course, such as "Computer Security" or "Cybersecurity technologies, procedures and policies". An understanding of file system principles and of basic networking technologies is helpful.

Written (or oral) theoretical exam on the subjects presented in the course. The exam may take the form of simple questions, or of basic cases presented with some questions to answer.