CFRS 500 Introduction to Forensic Technology and Analysis Spring 2016

Similar documents
Course Syllabus p. 1. Introduction to Web Design AVT 217 Spring 2017 TTh 10:30-1:10, 1:30-4:10 Instructor: Shanshan Cui

CIS Introduction to Digital Forensics 12:30pm--1:50pm, Tuesday/Thursday, SERC 206, Fall 2015

Scottsdale Community College Spring 2016 CIS190 Intro to LANs CIS105 or permission of Instructor

CIS 121 INTRODUCTION TO COMPUTER INFORMATION SYSTEMS - SYLLABUS

Language Arts Methods

SYLLABUS- ACCOUNTING 5250: Advanced Auditing (SPRING 2017)

Syllabus for ART 365 Digital Photography 3 Credit Hours Spring 2013

Spring 2015 IET4451 Systems Simulation Course Syllabus for Traditional, Hybrid, and Online Classes

FINANCE 3320 Financial Management Syllabus May-Term 2016 *

Introduction to Forensic Anthropology ASM 275, Section 1737, Glendale Community College, Fall 2008

Intel-powered Classmate PC. SMART Response* Training Foils. Version 2.0

Business Computer Applications CGS 1100 Course Syllabus. Course Title: Course / Prefix Number CGS Business Computer Applications

MGMT 479 (Hybrid) Strategic Management

Syllabus: CS 377 Communication and Ethical Issues in Computing 3 Credit Hours Prerequisite: CS 251, Data Structures Fall 2015

Course Syllabus It is the responsibility of each student to carefully review the course syllabus. The content is subject to revision with notice.

Texas A&M University-Central Texas CISK Comprehensive Networking C_SK Computer Networks Monday/Wednesday 5.

Student Handbook. Supporting Today s Students with the Technology of Tomorrow

Introduction to Sociology SOCI 1101 (CRN 30025) Spring 2015

MATH 1A: Calculus I Sec 01 Winter 2017 Room E31 MTWThF 8:30-9:20AM

ADMN-1311: MicroSoft Word I ( Online Fall 2017 )

SYLLABUS. EC 322 Intermediate Macroeconomics Fall 2012

Class Tuesdays & Thursdays 12:30-1:45 pm Friday 107. Office Tuesdays 9:30 am - 10:30 am, Friday 352-B (3 rd floor) or by appointment

ITSC 2321 Integrated Software Applications II COURSE SYLLABUS

Strategic Management (MBA 800-AE) Fall 2010

HCI 440: Introduction to User-Centered Design Winter Instructor Ugochi Acholonu, Ph.D. College of Computing & Digital Media, DePaul University

English Policy Statement and Syllabus Fall 2017 MW 10:00 12:00 TT 12:15 1:00 F 9:00 11:00

THE UNIVERSITY OF SYDNEY Semester 2, Information Sheet for MATH2068/2988 Number Theory and Cryptography

ICT/IS 200: INFORMATION LITERACY & CRITICAL THINKING Online Spring 2017

Attendance/ Data Clerk Manual.

SOUTHWEST COLLEGE Department of Mathematics

DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY (AETC)

Class Mondays & Wednesdays 11:00 am - 12:15 pm Rowe 161. Office Mondays 9:30 am - 10:30 am, Friday 352-B (3 rd floor) or by appointment

Demography and Population Geography with GISc GEH 320/GEP 620 (H81) / PHE 718 / EES80500 Syllabus

STUDENT MOODLE ORIENTATION

Course Content Concepts

SYLLABUS: RURAL SOCIOLOGY 1500 INTRODUCTION TO RURAL SOCIOLOGY SPRING 2017

POFI 1349 Spreadsheets ONLINE COURSE SYLLABUS

SECTION 12 E-Learning (CBT) Delivery Module

Cleveland State University Introduction to University Life Course Syllabus Fall ASC 101 Section:

SPM 5309: SPORT MARKETING Fall 2017 (SEC. 8695; 3 credits)

GIS 5049: GIS for Non Majors Department of Environmental Science, Policy and Geography University of South Florida St. Petersburg Spring 2011

ASTRONOMY 2801A: Stars, Galaxies & Cosmology : Fall term

Accounting 312: Fundamentals of Managerial Accounting Syllabus Spring Brown

Science Olympiad Competition Model This! Event Guidelines

ASTR 102: Introduction to Astronomy: Stars, Galaxies, and Cosmology

Theory of Probability

Course Policies and Syllabus BUL3130 The Legal, Ethical, and Social Aspects of Business Syllabus Spring A 2017 ONLINE

PHO 1110 Basic Photography for Photographers. Instructor Information: Materials:

CALCULUS III MATH

CENTRAL MAINE COMMUNITY COLLEGE Introduction to Computer Applications BCA ; FALL 2011

Office Location: LOCATION: BS 217 COURSE REFERENCE NUMBER: 93000

Dr. Zhang Fall 12 Public Speaking 1. Required Text: Hamilton, G. (2010). Public speaking for college and careers (9th Ed.). New York: McGraw- Hill.

Rhetoric and the Social Construction of Monsters ACWR Academic Writing Fall Semester 2013

1 Use complex features of a word processing application to a given brief. 2 Create a complex document. 3 Collaborate on a complex document.

Counseling 150. EOPS Student Readiness and Success

CLASS EXPECTATIONS Respect yourself, the teacher & others 2. Put forth your best effort at all times Be prepared for class each day

GEOG Introduction to GIS - Fall 2015

Philosophy 27/Political Science 27: ETHICS AND SOCIETY Winter 2013

INTRODUCTION TO GENERAL PSYCHOLOGY (PSYC 1101) ONLINE SYLLABUS. Instructor: April Babb Crisp, M.S., LPC

ITSC 1301 Introduction to Computers Course Syllabus

ACC : Accounting Transaction Processing Systems COURSE SYLLABUS Spring 2011, MW 3:30-4:45 p.m. Bryan 202

BIODIVERSITY: CAUSES, CONSEQUENCES, AND CONSERVATION

Military Science 101, Sections 001, 002, 003, 004 Fall 2014

Name: Giovanni Liberatore NYUHome Address: Office Hours: by appointment Villa Ulivi Office Extension: 312

CHMB16H3 TECHNIQUES IN ANALYTICAL CHEMISTRY

INTRODUCTION TO HEALTH PROFESSIONS HHS CREDITS FALL 2012 SYLLABUS

Spring 2015 CRN: Department: English CONTACT INFORMATION: REQUIRED TEXT:

COURSE SYLLABUS AND POLICIES

RL17501 Inventing Modern Literature: Dante, Petrarch, Boccaccio and XIV Century Florence 3 credits Spring 2014

AST Introduction to Solar Systems Astronomy

CPMT 1303 Introduction to Computer Technology COURSE SYLLABUS

INTRODUCTION TO CULTURAL ANTHROPOLOGY ANT 2410 FALL 2015

COURSE INFORMATION. Course Number SER 216. Course Title Software Enterprise II: Testing and Quality. Credits 3. Prerequisites SER 215

EEAS 101 BASIC WIRING AND CIRCUIT DESIGN. Electrical Principles and Practices Text 3 nd Edition, Glen Mazur & Peter Zurlis

FIN 571 International Business Finance

MKTG 611- Marketing Management The Wharton School, University of Pennsylvania Fall 2016

MAT 122 Intermediate Algebra Syllabus Summer 2016

Ruggiero, V. R. (2015). The art of thinking: A guide to critical and creative thought (11th ed.). New York, NY: Longman.

MATH 205: Mathematics for K 8 Teachers: Number and Operations Western Kentucky University Spring 2017

Office Hours: Mon & Fri 10:00-12:00. Course Description

UNDERGRADUATE SEMINAR

The University of Southern Mississippi

Digital Technology Merit Badge Workbook

Houghton Mifflin Online Assessment System Walkthrough Guide

Using Moodle in ESOL Writing Classes

Syllabus for PRP 428 Public Relations Case Studies 3 Credit Hours Fall 2012

EDUC 2020: FOUNDATIONS OF MULTICULTURAL EDUCATION Spring 2011

ACADEMIC POLICIES AND PROCEDURES

Introduction to World Philosophy Syllabus Fall 2013 PHIL 2010 CRN: 89658

Texas A&M University-Kingsville Department of Language and Literature Summer 2017: English 1302: Rhetoric & Composition I, 3 Credit Hours

Introduction to Psychology

Texas A&M University - Central Texas PSYK PRINCIPLES OF RESEARCH FOR THE BEHAVIORAL SCIENCES. Professor: Elizabeth K.

FINN FINANCIAL MANAGEMENT Spring 2014

Foothill College Fall 2014 Math My Way Math 230/235 MTWThF 10:00-11:50 (click on Math My Way tab) Math My Way Instructors:

ecampus Basics Overview

ACCT 100 Introduction to Accounting Course Syllabus Course # on T Th 12:30 1:45 Spring, 2016: Debra L. Schmidt-Johnson, CPA

FORENSIC SCIENCE SYLLABUS - AMENDED SPRING SEMESTER 2014

Class Numbers: & Personal Financial Management. Sections: RVCC & RVDC. Summer 2008 FIN Fully Online

Dialogue Live Clientside

EDIT 576 (2 credits) Mobile Learning and Applications Fall Semester 2015 August 31 October 18, 2015 Fully Online Course

Transcription:

Instructor: Brian Hussey e-mail: bhussey@cybercrimeinvestigators.com CFRS 500-001 Introduction to Forensic Technology and Analysis Distance learning via: Udemy.com: Access to course materials will be provided via this online link: Primary CFRS 500-001 (Coupon Code: GMU_Students_2016SP-CCI) or via this free link: https://www.udemy.com/ifci-expert-cybercrime-investigatorscourse/?couponcode=gmu_students_2016sp-cci SONY Hack Study (GMU_Students_2016SP-SONY) or via this free link: https://www.udemy.com/ifci-great-sony-hack-of-2014/?couponcode=gmu_students_2016sp- SONY+ Cybercrimeinvestigators.com Students will be provided access to class materials and will comment on videos in gallery mymasonportal.gmu.edu Blackboard, upload all labs, assignments, and take exams Skype: Class discussions & Question / Answer sessions will occur on Skype. Please contact me on Skype at bhussey222. Identify yourself as a Fall 2015 GMU student when you contact me. Skype sessions are voluntary but encouraged. They are currently scheduled for Thursdays @ 6:00pm. Starting September 3rd th, 2015. Syllabus: This course will introduce concepts and techniques involved with the analysis of digital media. Topic selection will vary across several different sub-disciplines; to include network intrusions, cyber-terrorism, malware analysis, network log analysis, and memory analysis. However, the specific focus will be on hard drive analysis, forensic artifacts found in Windows Operating systems and methodologies for recovering and deciphering them. The majority of the lessons will be in the context of investigating a network intrusion. By the end of this class, students will have a basic understanding of the underlying concepts of computer forensic investigations and they will have a basic framework for conducting the full lifecycle of a forensic investigation, from acquisition to technical analysis and reporting. Hybrid Course Format: Online classes will use the website Udemy.com and cybercrimeinvestigators.com Videos for this course will be available for home viewing on this site. You will be provided access for the duration of the class at George Mason. To receive access, do the following: Udemy Go to Udemy.com, create your profile and use the links provided above for free access to both courses. cybercrimeinvestigators.com - Create a profile, and validate the account via the automated email you receive. E-mail me at: bhussey@cybercrimeinvestigators.com with your username and the email address you used and I will then grant you access to the course materials. Page 1 of 6

! Computer All students will be required to have access to a computer with a Windows Operating System installed (XP or newer). Students must have administrative rights on this computer. The professor suggests, if possible, for students to bring Windows-based laptop computers to each class as we will do labs in class that students can follow along with. However, if the student does not have access to a laptop computer, they may use the computers provided in class.! Materials Class materials will be posted to Blackboard; they will often be posted in a compressed (.rar or.zip) format. It is the responsibility of the student to come to every class with all of the required materials, in an uncompressed format. The materials can be saved on a laptop, thumb drive, or CD/DVD, but they must be easily accessible for in-class labs.! Assessment 15% - Blogs & Labs Most classes will involve labs. Students are expected to complete the labs and post them to Blackboard. Additionally, each week students must go to the website: https://cybercrimeinvestigators.com/gallery. This site is a collection of free videos relating to cybercrime, malware, or computer forensics. On this site, you must watch 2 videos of your choice every week and you must provide a thoughtful comment on them. 1-2 paragraphs is sufficient. Your comment may be original or in response to another classmate s comment. 25% - Midterm Exam The 8 th class session will be a mid-term exam. It will be composed of multiple choice, true/false, and essay questions. It will contain questions that are cumulative from the first half of the semester. This exam will account for 25% of the student s grade in this course 25% - Final Exam The 15 th class session will be a final exam. It will be composed of multiple choice, true/false, and essay questions. It will be contain questions that are cumulative from the entire class, (However, the majority of questions will be based on the second half of the course). This exam will account for 25% of the student s grade in this course. 10% - Evidence Acquisition Project During the first half of the semester, the professor will provide pictures of a mock office setting containing a variety of pieces of digital evidence. Students will review the pictures, identify both digital and non-digital evidence. Then each student will provide a report of the process they would take to acquire the evidence. The report will include details about what hardware and software that they would use to acquire the evidence, the notes they would take and the pictures they took when deployed to the scene. The student should also explain why they chose to use the methods they describe in their report. 25% - Forensic Investigation Group Project Page 2 of 6

Students will form small groups of 2-4 people. The group will work together to plan a crime that will be solved via a computer forensic investigation. Students will create a VMware system using either Windows XP or Windows 7. It will be the responsibility of each group to gain access to a Windows OS to use for this project. George Mason students do have access to a Microsoft MSDN via this website: http://msdn05.eacademy.com/gmu_bsit. Students will have to establish their own account to use it. Students will execute their crime using the VM. Students should ensure that their crime creates forensic artifacts discussed in this class. After the crime is committed and forensic artifacts created, the students will make a forensic image of the system. They will then use the techniques taught in this class to conduct forensic analysis on the VM. Students will create a forensic analysis report documenting their findings. Screenshots must be included in this report to verify their findings. The final product will include both a written report and a 10 minute oral presentation describing the crime and how they solved it using computer forensics. The following specific steps will be taken to successfully complete this project: 1. Create a group of 3 4 students. Get together and create a detailed, written plan that documents what kind of crime they will use the computer. Any kind of crime is acceptable as long as (of course) it is completely fabricated and NOTHING ILLEGAL ACTUALLY OCCURS! 2. Use the VM for everyday user activity; this will create noise that will make the investigation more realistic. a. Create a minimum of 3 user profiles on the system. b. Set up email that is saved on the computer directly and is not web-based. Students can use Outlook Express, download Thunderbird, or another format that the group prefers. c. Surf the Internet for various topics. The group must use Internet Explorer, but they can use other browsers as well, if they choose. Download various files from the Internet and save them in various locations on the hard drive. d. Download a number of programs and run them. e. Plug USB drives into the system, copy files to them, open the files on both the USB drive and on the host system. f. Delete some files by placing them in the Recycle Bin, delete other files permanently. g. Conduct these activities over a MINIMUM of one week, longer the better. 3. Now that the system is properly set up, it is time to execute the crime of your choosing. a. The crime should involve analysis of e-mail, Internet, registry, timeline, prefetch files, link files, and as many more forensic artifacts as possible. Your grade will be dependent on how many forensic artifacts are recovered and analyzed, keep this in mind when planning and executing your crime. 4. After the crime is committed, the team will forensically acquire the system using FTK imager Lite. It should be a live image. Acquisition of RAM is also highly encouraged. 5. The group will now conduct forensic analysis on the image. You can use the tools provided in this class or any other tool that you prefer. Remember to examine as many forensic artifacts as possible. I highly suggest examining every item discussed in this class. Page 3 of 6

6. Create your forensic analysis report. The final package should include the following: a. The detailed written crime plan created in step 1. b. A page showing the specific responsibilities that each group member conducted as part of this project. c. Forensic Analysis Report (**All findings should include a screenshot**) i. Executive Summary ii. Media Acquisition 1. This should include the type of acquisition conducted, the scene of the acquisition, and the type of system acquired. 2. Include size, MD5 hash, and time of acquisition. 3. Include basic system information, such as Operating System, user accounts, hard drive size, file system, etc. iii. Timeline of Events iv. Details of Analysis 1. This section should include all the various items forensically examined. 2. Reporting of findings should be fact based. Ie: The Internet Explorer Index.dat file was parsed to show Internet History. Analysis of this file showed that the user profile Jim visited www.xbadsite.xx.com 127 times from June 2, 2013 8:27:13am and 8:27:15am. 3. It is acceptable to make expert opinions based on fact. Mark all opinions as an Analyst s Comment and format them in italics. Ie: (ANALYST S COMMENT: The system visited 127 pornographic sites in the span of 2 seconds but never visited one before or after those two seconds. The analyst believes that this activity was not the intent of the user because it was very anomalous behavior and occurred faster than an individual could purposefully conduct the actions. This is more indicative of an automated event or malicious code.) 4. This report should show all technical analysis and examination of forensic artifacts and it should include an explanation / interpretation of events. v. List of all software tools used during analysis of this case. 7. In addition to the report package, a 10 minute oral presentation must be prepared. It will be given on the class directly prior to the Final exam. A PowerPoint presentation must be prepared to guide the presentation. The presentation should describe the crime, the forensic analysis, and the group s findings.! Session Descriptions Session 1 Course introduction, introduction to the field of computer forensics, sources and types of evidence Reading: http://www.digital-detective.net/digital-evidence-discrepancies-casey-anthony-trial/ Session 2 - Forensic acquisitions of various forms of media, hashes, write-blocking, and chain of custody Page 4 of 6

LABS 1 & 2 Session 3 Introduction to file systems. Concepts of sectors, clusters, and slack space. Timestamps and timeline analysis. User accounts and file / action attribution. LAB 3 Session 4 Internet activity and e-mail analysis LABS 4 & 5 Session 5 Windows system forensic artifacts: Link files, temp files, Recycle bin, prefetch files, Pagefile, hiberfil.sys LABS 6 & 7 Session 6 - Windows System Forensic Artifacts Con t & File Signature LABS 8, 9, & 10 Session 7 Windows System Logs & Registry analysis LABS 11 & 12 Reading: Go study for the midterm. Session 8 Mid-term exam Session 9 Introduction to malware, rootkits and network intrusions methodologies Meet with group to develop final project plans Session 10 Network data analysis, ports and TCP/IP & Windows 8 Forensics LAB 13 Session 11 - Cybercrime, cyberterror, and cyber-espionage. Attack vectors and steganography Session 12 Volatile Memory Analysis LABS 14 Session 13 Dynamic Malware analysis LABS 15 Group meetings for final presentation preparation. Session 14 The Great SONY hack of 2014 Session 15 Final exam Late Assignment Policy: Page 5 of 6

In general, late assignments will not be accepted and will be recorded as a 0% grade. All assignments are expected to be uploaded to Blackboard by midnight of the due date. In the event that unforeseen circumstances prevent a student from being able to turn in their assignment, the professor may grant permission for late submission. However, the student s grade will be significantly decreased, the exact amount subtracted from the student s score will depend on the amount of days late the assignment is. Attendance Policy: GMU Policy: Students are expected to attend the class periods of the courses for which they register. In-class participation is important not only to the individual student, but also to the class as a whole. Because class participation may be a factor in grading, instructors may use absence, tardiness, or early departure as de facto evidence of nonparticipation. Students who miss an exam with an acceptable excuse may be penalized according to the individual instructor s grading policy, as stated in the course syllabus. Students are expected to make prior arrangements with Instructor in writing (e-mail is preferable) if they know in advance that they will miss any class and to consult with the Instructor if they miss any class without prior notice. Absences from final exams will not be excused except for sickness on the day of the exam or other cause approved by the student s academic dean or director. The effect of an unexcused absence from an undergraduate final exam shall be determined by the weighted value of the exam as stated in the course syllabus provided by the instructor. If absence from a graduate final exam is unexcused, the grade for the course is entered as F. See the Additional Grade Notations in the Grading System section for information on being absent with permission. CFRS 500 Practice: Excused absences may be granted on days that are not scheduled for an exam or project. To achieve credit for the absence from class, the student will be required to view the course video on cybercrimeinvestigators.com, and complete any labs scheduled for that week (available on blackboard). The student will e-mail the professor a synopsis of the reading and slides. The e-mail should display that the student has attained an understanding of that week s course content as well as the completed lab sheets (complete with screenshots verifying the lab was completed). Honor Code: All students matriculating in this course are subject to the George Mason University Honor Code. Plagiarism, cheating and theft of intellectual property is strictly prohibited and will result in failing the class. The instructor reserves the right to make changes to this syllabus throughout the course of the class as he deems necessary. Page 6 of 6

2024 © educationdocbox.com Privacy Policy | Terms of Service | Feedback