OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Transcription

1 OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs: 2 Lab Hrs: 3 Tot Hrs: Repeatability: No 6. Grade Options: Letter Grade, May Petition for Pass/No Pass (GC) Degree/Applicability: Credit, Degree Applicable, Transferable - CSU (T) 8. General Education: 9. Field Trips: Not Required 10. Requisites: Advisory CNET 170 Network Security (Security+) CNET 173 Ethical Hacking Catalog Description: This is an introductory course in Computer Forensics. Forensics Computing, Digital Forensics, or Computer Forensics is the name for a newly emerging field of study and practice that incorporates many areas of expertise. Some of these areas have been called network security, intrusion detection, incident response, infrastructure protection, disaster recovery, continuity planning, software engineering, cyber security, and computer crime investigation. It is an area of practice in public law enforcement at the federal, state, and local levels that deals with cyber crime, cyber vandalism, cyber predators, and cyber terrorism. In the private sector it deals with critical infrastructure such as business, hospitals, utilities transportation, finance, education, and other key institutions. 13. Class Schedule Description: Gain an in-depth hands-on knowledge of the principles, procedures, and techniques used in digital forensic analysis. 14. Counselor Information: CNET-170 and CNET-173, or Security+ certification, or equivalent experience recommended. II. Student Learning Outcomes The student will: 1. Demonstrate an understanding of forensic methodology, key forensics concepts, and identifying types of evidence on current Windows operating systems. 2. Demonstrate understanding of evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners 3. Use a variety of computers operating system file systems (Microsoft Windows, DOS, Linux, and Macintosh) to examine the registry, boot partition; NTFS disk structure, boot tasks, and startup tasks.

2 III. 4. Show how the Windows registry, file metadata, memory, and file system artifacts can be used to trace user activities on suspect systems. 5. Demonstrate an understanding of forensic examination of user communication applications and methods, including browsers, host-based and mobile applications, Instant Messaging, and other software and Internet-based user communication applications. 6. Use at least one software tool and utility available in the forensic software arena to demonstrate an understanding of the purpose of the various types of Windows event, service and application logs, and the types of information they can provide. Course Content: A. What Is Computer Forensics? 1. What You Can Do with Computer Forensics 2. How People Get Involved in Computer Forensics a. Law Enforcement b. Military c. University Programs d. IT or Computer Security Professionals 3. Incident Response vs. Computer Forensics 4. How Computer Forensic Tools Work 5. Types of Computer Forensic Tools 6. Professional Licensing Requirements B. Learning Computer Forensics 1. Where and How to Get Training a. Law Enforcement Training b. Corporate Training 2. Where and How to Get Certified a. Vendor Certifications b. Vendor-Neutral Certifications 3. Staying Current a. Conferences b. Blogs c. Forums d. Podcasts e. Associations C. Creating a Lab 1. Choosing Where to Put Your Lab a. Access Controls b. Electrical Power c. Air Conditioning d. Privacy 2. Gathering the Tools of the Trade a. Write Blockers b. Drive Kits c. External Storage d. Screwdriver Kits e. Antistatic Bags f. Adaptors

3 3. Forensic Workstation a. Choosing Forensic Software b. Open Source SoftwareCommercial Software 4. Storing Evidence a. Securing Your Evidence b. Organizing Your Evidence c. Disposing of Old Evidence D. How to Approach a Computer Forensics Investigation 1. The Investigative Process a. What Are You Being Asked to Find Out? b. Where Would the Data Exist? c. What Applications Might Have Been Used in Creating the Data? d. Should You Request to Go Beyond the Scope of the Investigation? 2. Testing Your Hypothesis a. Define Your Hypothesis b. Determine a Repeatable Test c. Create Your Test Environment 3. Document Your Testing a. The Forensic Data Landscape b. Active Data c. Unallocated Space d. Slack Space e. Mobile Devices f. External Storage g. What Do You Have the Authority to Access h. Who Hosts the Data? i. Who Owns the Device? j. Expectation of Privacy E. Choosing Your Procedures 1. Forensic Imaging a. Determining Your Comfort Level b. Forensic Imaging Method Pros and Cons 2. Creating Forms and Your Lab Manual a. Chain of Custody Forms b. Request Forms c. Report Forms 3. Standard Operating Procedures Manual F. Testing Your Tools 1. When Do You Need to Test a. Collecting Data for Public Research or Presentations b. Testing a Forensic Method c. Testing a Tool d. Where to Get Test Evidence e. Raw Images f. Creating Your Own Test Images 2. Forensic Challenges a. Learn Forensics with David Cowen on YouTube b. Honeynet Project

4 c. DC3 Challenge d. DFRWS Challenge e. SANS Forensic Challenges f. High School Forensic Challenge 3. Collections of Tool Testing Images a. Digital Forensic Tool Testing Images b. NIST Computer Forensics Reference Data Sets Images c. The Hacking Case d. NIST Computer Forensics Tool Testing G. Live vs. Postmortem Forensics 1. Live Forensics 2. When Live Forensics Is the Best Option 3. Tools for Live Forensics 4. Postmortem Forensics 5. Postmortem Memory Analysis H. Capturing Evidence 1. Creating Forensic Images of Internal Hard Drives a. FTK Imager with a Hardware Write Blocker b. FTK Imager with a Software Write Blocker 2. Creating Forensic Images of External Drives a. FTK Imager with a USB Write Blocker b. FTK Imager with a Software Write Blocker 3. Software Write Blocking on Linux Systems 4. Creating Forensic Images of Network Shares a. Capturing a Network Share with FTK Imager 5. Mobile Devices 6. Servers I. Nontraditional Digital Forensics 1. Breaking the Rules: Nontraditional Digital Forensic Techniques a. Volatile Artifacts b. Malware c. Encrypted File Systems 2. Challenges to Accessing Encrypted Data a. Mobile Devices: Smart Phones and Tablets b. Solid State Drives c. Virtual Machines J. Case examples : how to work a case 1. Establishing the Investigation Type and Criteria 2. Determining What Type of Investigation Is Required 3. What to Do When Criteria Causes an Overlap 4. What to Do When No Criteria Matches 5. Where Should the Evidence Be? 6. Did This Occur over the Network? 7. Nothing Working? Create a Super Timeline 8. Human Resources Cases 9. Administrator Abuse 10. Stealing Information 11. Recovering Log Files to Catch a Thief

5 K. L. M. 12. Keyloggers and Malware Defending your work 1. Documenting Your Findings with Reports a. Documenting Your Findings b. Who Asked You to Undertake the Investigation c. What You Were Asked to Do d. What You Reviewed e. What You Found f. What Your Findings Mean 2. Types of Reports a. Informal Report b. Incident Report c. Internal Report d. Declaration e. Affidavit 3. Explaining Your Work a. Define Technical Terms b. Provide Examples in Layperson Terms c. Explain Artifacts Litigation and Reports for Court and Exhibits 1. Important Legal Terms 2. What Type of Witness Are You? a. Fact Witness b. Expert Consultant c. Expert Witness d. Special Master e. Neutral 3. Writing Reports for Court a. Declarations in Support of Motions b. Expert Reports 4. Creating Exhibits 5. Working with Forensic Artifacts LABS 1. Introduction to File Systems Digital Forensics Fundamentals. 2. Common Locations of Windows Artifacts Digital Forensics Fundamentals. 3. Hashing Data Sets Digital Forensics Fundamentals. 4. Drive Letter Assignments in Linux Evidence Acquisition, Preparation and Preservation. 5. The Imaging Process Evidence Acquisition, Preparation and Preservation 6. Introduction to Single Purpose Forensic Tools Digital Forensics Fundamentals. 7. Introduction to Autopsy Forensic Browser Evidence Acquisition, Preparation and Preservation. 8. Introduction to PTK Forensics Basic Edition Evidence Acquisition, Preparation and Preservation. 9. Analyzing a FAT Partition with Autopsy File and Program Activity Analysis. 10. Analyzing a NTFS Partition with PTK File and Program Activity Analysis. 11. Browser Artifact Analysis Browser Forensics. 12. Communication Artifacts User Communications Analysis.

6 13. User Profiles and the Windows Registry System and Device Profiling and Analysis. 14. Log Analysis Log. 15. Memory Analysis File and Program Activity Analysis. 16. Forensic Case Capstone Capstone Lab IV. Course Assignments: A. Reading Assignments 1. Textbook readings and online supporting webpages to inform the student on forensic methodology, key forensics concepts, identifying types of evidence on current Windows operating systems, evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners. B. Projects, Activities, and other Assignments 1. Hands-on lab assignments on the Ohlone NetLAB+ remote lab system on software tools and utilities available in the forensic software arena and how to use a variety of computers operating system file systems (Microsoft Windows, DOS, Linux, and Macintosh) to examine the registry, boot partition; NTFS disk structure, boot tasks, and startup tasks. Troubleshooting non expected outcomes. C. Writing Assignments 1. Worksheets and Lab Reports to support the lab assignments and document the results of those lab assignments. V. Methods of Evaluation: A. Objective quizzes on forensic methodology, key forensics concepts, identifying types of evidence on current Windows operating systems, evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners. B. Lab Projects to demonstrate competency on software tools and utilities available in the forensic software arena and how to use a variety of computers operating system file systems (Microsoft Windows, DOS, Linux, and Macintosh) to examine the registry, boot partition; NTFS disk structure, boot tasks, and startup tasks. Troubleshooting non-expected outcomes. C. Final comprehensive exam on forensic methodology, key forensics concepts, identifying types of evidence on current Windows operating systems, evidence chain-of-custody and integrity, E-discovery concepts, evidence acquisition and preservation, and the tools and techniques used by computer forensic examiners. D. Skills-based assessment (capstone lab) on software tools and utilities available in the forensic software arena and how to use a variety of computers operating system file systems to examine the registry, boot partition; NTFS disk structure, boot tasks, and startup tasks. VI. Methods of Instruction: A. Lecture B. Laboratory C. Discussion D. Demonstration E. Distance Learning F. Other

7 1. Ohlone CNET department NetLAB+ remote lab environment. VII. Textbooks: Recommended 1. David Cowen Computer Forensics: infosec Pro guide 1st Edition, McGraw Hill, 2013 ISBN: Supplemental VIII. Supplies: Approval Date: CCC Number: TOP Codes: CID 5416