703.608.0975 rick@warrenworks.com

Northern Virginia Community College
Annandale Campus

Spring Semester 2019
16-Week Session

ITN 276 – Computer Forensics I
Section 048N – 3 Credit Hours
Syllabus

 

 

Last Modified: 02/16/2022 15:10:09

 

 

Course Description | Prerequisites | Instructor | Text | Class Hours | Office Hours | Important Dates | Course Objectives | Major Topics | Grades | Class Schedule | Inclement Weather Policy | Academic Dishonesty | Attendance Policy | Learning And Growth PolicyEmergency Evacuation Procedures | Safety PreparationFun Policy

Course Description:

Teaches computer forensic investigation techniques for collecting computer-related evidence at the physical layer from a variety of digital media, (hard drives, compact flash, and PDAs) and performing analysis at the file system layer.
ITN 276 Computer Forensics I Course Content Summary

 

Prerequisites and Corequisites:

ITN 106 and ITN 107, or ITE 221 Computer Program Design. Corequisites: ITN 260
ITN 106 Microcomputer Operating Systems Course Content Summary
ITN 107 Personal Computer Hardware and Troubleshooting Course Content Summary
ITE 221 PC Hardware and OS Architecture Course Content Summary
ITN 260 Network Security Basics Course Content Summary

Instructor:

Rick Miller, MS Computer Science
California State University Long Beach
Phone: 703-207-0532
email: rick@warrenworks.com
website: www.warrenworks.com

Class Hours:

Time: Saturday, 1230 pm – 3:10 pm
Room: CT – 131
Dates: 12 January – 4 May 2019

Office Hours:

You can talk to me before, during or after class. You can also call me but I prefer email.

Important Dates To Remember:

  • First day of class: 12 January 2019
  • Last day to drop with tuition refund or change to Audit: 29 January 2019 (Census Date)
  • Last day to withdraw without grade penalty: 24 March 2019 (Note: The award of ‘W’ after the last day to withdraw without grade penalty REQUIRES official documentation and the Dean’s signature.)
  • Holidays/Non Instructional Days: 9 March 2019 (Spring Break)
  • Last day of class: 4 May 2019

Course Objectives:

Upon the completion of this course you will be able to:

  • Discuss computer forensics as a field and career
  • Collect digital evidence on a variety of computer systems using accepted forensic processes
  • Correctly use court accepted imaging and analysis tools
  • Identify the legal challenges to collecting and analyzing digital evidence

Major Topics:

  • Understanding Computer Forensics
    • History of computer forensics
    • Computer forensics as a career
    •  Professional certification and organizations
  • Legal Issues in Computer Forensics
    • Law enforcement investigations
    • Corporate investigations
    • Professional ethics and conduct
  • Preparing for an Investigation
    • Forensic resources
    • Preparing a forensic toolkit
  • Securing a System for Investigation.
    • Evidence Preparation.
    • Employing media wiping tools.
    • Employing checksums/hashing as validation
    • Bit-by-bit copies
  • Analyzing and Understanding File Systems
    • Fat12
    • Fat16
    • Fat32
    • NTFS
  • Data Acquisition at a Physical Layer
    • Imaging a system using forensic tools
    • Using write-blockers
    • Using court accepted tools to duplicate drives
    • Understanding drive geometry
    • Understanding file systems and disk partitioning
    • Hashing the drive
  • Analyzing Data
    • Recovering data at physical layer using court accepted forensic tools.
    • Examining DOS and Windows disk structures
    • Understanding the boot sequence
    • Examining NTFS and FAT file systems
    • NTFS Data Streams
  • Examining Other Media Structures
    • Floppies
    • CDs
    • Thumb/flash drives
  • Recovering Deleted and Encrypted Data from a File System
    • Manually recovering a deleted file, directory and partition in the FAT file system
    • Manually recovering data remnants from slack space in the FAT file system
    • Manually recovering data remnants from unallocated space in the FAT file system
    • Manually recovering file names from the directory entry table in the FAT file system
    • Examining the NTFS file system
    • Manually recovering deleted files in the NTF file system
    • NTFS Encrypted File Systems (EFS)
    • EFS Recovery Agent
  • Recovering Hidden Data at a Physical Layer
    • Hidden partitions
    • Bit-shifting
  • Data Carving
    • Slack space
    • Free space
  • Cataloging and Storing Digital Evidence.
    • Chain of custody
    • Evidence transport
    • Evidence storage
    • Evidence Locker Room

Grades:

Your grade will be determined by your performance on exams, quizzes, projects, and class engagement.

  Quizzes 10%
  Midterm Exam 20%
  Final Exam 20%
  Projects 20%
  Labs 20%
   Engagement (Your active involvement in the learning experience.) 10%
     

Class Schedule:


Week

Topics Covered

Notes
Week 1

 

(Chapters 1, 2, & 15)

 

  • Course Introduction
    • Ice Breaker
  • Overview of Computer Forensics
  • Knowledge Needed for Computer Forensics
  • Computer Crime
  • System Forensic Resources
  • Vocabulary

IMPORTANT: I will flesh out the class schedule as the semester progresses. I will notify the class via Blackboard when I make a change. Be patient, as this is my first time teaching this class, and I will adjust content and timing as necessary to enhance your learning Eexperience.

 

EVEN MORE IMPORTANT: The JBL Course Number for this course is: 3AF85D. Use this number to link your Lab access code with this course.

You can buy the Virtual Lab Access code directly from Jones & Bartlett Learning

 

Recipe for Success:

  • Read ahead to prepare for each day’s lecture
  • Assume you’ll be taking a quiz before each class on assigned homework

The Journal of Digital Forensics, Security, and Law

National Initiative For Cybersecurity Careers And Studies (NICCS)

FedVTE (Veterans get Free Access)

Women’s Society of Cyberjutsu

CyberSeek.org

Week 2

(External Sources and Chapter 5)

 

 

  • Computer Numbering Systems:
    • Binary
    • Octal
    • Hexadecimal
  • Character Encoding
    • ASCII
    • Unicode
    • UTF-8
    • UTF-16
    • UTF-32
  • Review of Computer Operations
  • Binary Operations
    • AND
    • OR
    • XOR
  • Hiding and Scrambling Data
    • Steganography

Links of Interest:

Project 1: Interview a Digital Forensics Investigator: Due Week 6

How a CPU Works

How Hard Disks Work

Why Do Computers Use Binary

ASCII and UNICODE

UTF-8 Encoding

UTF-8 Encoding on WikiPedia

 

 

Week 3

(Chapter 5)

 

 

  • Hiding and Scrambling Data
    • Cryptography & Cryptanalysis Techniques
  • Hash Algorithms
    • MD5
    • SHA

 

JB Learning Labs 1, 2, 4, & 6 Assigned and Due by Beginning of Spring Break

 

 Agenda Slides 2 Feb 19

jsteg Steganography Software

F5 Steganography Software

Video: Cryptography

Video: Hashing Algorithms and Security

OpenPGP.org

Video: Symmetric Encryption Ciphers

Video: Asymmetric Encryption Algorithms

Video: Verifying Authenticity with shasum -a 256

 

 

 

Week 4

(External Sources and Chapters 8 – 10)

 

Project 2: Forensics Technology Deep-Dive: Due Weeks 14 – 15

 

 

 

How USBs are Manufactured

Explaining SSDs

Understand USB

Investigating a Flash Drive

FAT File System Forensics Paper

Video: NTFS File System Forensics

FAT File Systems

Video: Popular File Encodings & File Systems Overview

 

 

 

Week 5

(Chapter 6)

 

  • Recovering Data
Video: Forensic Acquisition in Windows – FTK Imager
Week 6

(External Sources, Chapter 7, & Chapter 12)

 

  • Networking Fundamentals (Review)
    • OSI and Internet Models
    • TCP/IP
    • IPV4
    • MAC
    • Network Devices
      • Router
      • Hub
      • Switch
      • NIC (Network Interface Card)
  • Network Analysis
    • WireShark
Project 1 Due
Week 7
  • Network Analysis (cont.)
  • Email Forensics
    • How email works
    • Email protocols

Email Header Analysis

 

Week 8
  • Midterm
Labs 1, 2, 4, & 6 Due
Spring Break
Week 9

(Chapter 7)

 

  • Email Forensics
Week 10

(Chapter 8)

 

  • Windows Forensics
Week 11
  • Windows Forensics (cont.)
Week 12

(Chapter 9)

 

  • Linux Forensics
Week 13
  • Linux Forensics (cont.)
Week 14

(Chapter 10 & 11)

 

  • Mac OS X Forensics
  • Mobile Forensics
Week 15

 (Chapters 13 & 14)

 

  • Incident and Intrusion Response
  • Trends and Future Directions
Week 16
  • Final Exam

Inclement Weather Policy

Check the NOVA website for inclement weather announcements. http://www.nvcc.edu/depts/homepage/closing.htm#faq

Academic Dishonesty:

I expect the work you do in this class to be your own. I encourage the free exchange of ideas between students, however, the work you ultimately hand in to fulfill course requirements must not be simply copied from another student or other sources. It’s easy to be honest; here are a few rules to help guide you:

  • Cite all references used to write code.
  • You may look at another student’s programming code but give them credit for helping you.
  • If you use stuff from the Internet to help you on a class project list the source.
  • When in doubt…list the source and give credit.
  • You may use code I provide in class in your projects but give me credit for the code I provide.

From the NVCC Catalog

When College officials award credit, degrees, and certificates, they must assume the absolute integrity of the work you have done; therefore, it is important that you maintain the highest standard of honor in your scholastic work. The College does not tolerate academic dishonesty. Students who are not honest in their academic work will face disciplinary action along with any grade penalty the instructor imposes. Procedures for disciplinary measures and appeals are outlined in the Student Handbook. In extreme cases, academic dishonesty may result in dismissal from the College. Academic dishonesty, as a general rule, involves one of the following acts:

  1. Cheating on an examination or quiz, including the giving, receiving, or soliciting of information and the unauthorized use of notes or other materials during the examination or quiz.
  2. Buying, selling, stealing, or soliciting any material purported to be the unreleased contents of a forthcoming examination, or the use of such material.
  3. Substituting for another person during an examination or allowing another person to take your place.
  4. Plagiarizing means taking credit for another personÕs work or ideas. This includes copying another personsÕs work either word for word or in substance without acknowledging the source.
  5. Accepting help from or giving help to another person to complete an assignment, unless the instructor has approved such collaboration in advance.
  6. Knowingly furnishing false information to the College; forgery and alteration or use of College documents or instruments of identification with the intent to defraud.

Attendance Policy:

You should only miss class when you have a genuine emergency. I prefer advance notification via email. It goes without saying that you are responsible for course material and assignments due, and for information covered, on the day(s) you miss. If you miss too many classes, and too many is entirely at my discretion, you will earn an “F” for the class. (Note: To date, the only student who failed the class under this policy did so not because they missed a number of classes, but because they failed to communicate with me about their situation.
I will record attendance at the end of each class. If you intend to leave class early for other than an emergency, please let me know or you will not be marked as present that day. If you fail to attend the first day of class I will administratively withdraw you. If you attend the first day and fail to attend the next two weeks, I will administratively withdraw you. 

The Attendance Policy from the NVCC Catalog:

Education is a cooperative endeavor between the student and the instructor. Instructors plan a variety of learning activities to help their students master the course content. Students are expected to participate in these activities within the framework established in the class syllabus. Faculty will identify specific class attendance policies and other requirements of the class in the syllabus that is distributed at the beginning of each term. Successful learning requires good communication between students and instructors; therefore, in most cases, regular classroom attendance, or regular participation in the case of a nontraditional course format, is essential.
It is the student’s responsibility to inform his/her instructor prior to an absence from class. Students are responsible for making up all coursework missed during an absence. In the event of unexplained absences, the instructor may withdraw a student administratively from the course. If a student does not attend at least one class meeting or participate in an online learning class by the “last day to drop with a tuition refund” (census date), his/her class registration will be administratively deleted. This means that there will be no record of the class or any letter grade on the student’s transcript. Furthermore, the student’s class load will be reduced by the course credits, and this may affect his/her full-time or part-time student status. Tuition will not be refunded.

Learning and Growth Policy

“NOVA is a place for learning and growing.  You should feel safe and comfortable anywhere on this campus.  In order to meet this objective, you should: a) let your instructor, his/her supervisor, the Dean of Students or Provost know if any unsafe, unwelcome or uncomfortable situation arises that interferes with the learning process; b) inform the instructor within the first two weeks of classes if you have special needs or a disability that may affect your performance in this course.”

Emergency Evacuation Procedures:

Should the need to evacuate the room in a hurry arise, the procedures to do so are posted in the class. We’ll discuss these on the first day and hope we never have to use them!!!

TO REPORT AN EMERGENCY OR SUSPICIOUS ACTIVITY

  • NOVA Police at 703-764-5000
  • Police and Fire at 9-1-1

SAFETY PREPARATION

Your ability to react effectively during an emergency takes preparation. The Office of Emergency Management and Safety wants you to be prepared to react immediately. To start, you should know the locations of: the two safest and most direct evacuation routes (see posted evacuation route signs in classrooms), the locations of designated Assembly Areas outside the facility, shelter-in-place areas for a severe weather event, and the nearest automated external defibrillators (AEDs). For additional emergency preparedness information, visit the Office of Emergency Management and Safety website at: www.nvcc.edu/emergency.

FIRE/EVACUATION

  • Activate the nearest fire alarm and call 9-1-1 if possible. If there are no fire alarms nearby, knock on doors and yell “fire” as you exit the building.
  • Evacuate the building. Do not use elevators!
  • Feel closed doors with the back of your hand. Do not open if doors are hot.
  • Move well away from the building when evacuating, and assemble at designated assembly areas.
  • Do not re-enter the building until cleared by authorized personnel.

SEVERE WEATHER/SHELTER-IN-PLACE

If the area is under a Severe Weather/Tornado WARNING, or if notified to shelter:

  • Seek shelter immediately in a Severe Weather Shelter Area or go to an interior hallway or room; at the lowest level in the building; and/or an area free of windows or glass.
  • Protect your body from flying debris with any available furniture or sturdy equipment.
  • Use your arms to protect your head and neck.
  • Wait for the “All Clear” before leaving your shelter area.

VIOLENCE/ACTIVE SHOOTER

  • Determine the most reasonable way to protect your own life and call 9-1-1 or 703-764-5000 when it is safe to do so.
    Run and evacuate if you can. This may be your best chance of survival. Have an escape route in mind. Leave valuables behind and keep hands visible.
  • Hide in an area outside of the shooter’s view. Block entry to your hiding place and lock doors.
  • Turn off lights and silence electronic devices.
  • Fight as a last resort and only when your life is in imminent danger. Attempt to incapacitate the shooter. Act with physical aggression.

EMERGENCY COMMUNICATION

  • In the event of an emergency you may be notified by various means depending on the emergency. Some of the ways you may be notified include:
  • classroom telephones,
  • computer pop-ups,
  • digital flat panels,
  • NOVA Access through www.facebook.com/NOVAaccess and www.twitter.com/novaaccess, or
    text messaging through NOVA Alert. NOVA Alert is a free notification service. You are automatically signed up for email alerts through your NOVA email address.To add a mobile phone number or an additional email account, you must register by going to: https://alert.nvcc.edu. You are strongly encouraged to add additional devices.
  • NOVA may use some or all notification channels to notify you. For a complete list, visit the NOVA website at www.nvcc.edu and search for Alert Notification Systems.

Closing/Class Cancellations

If the College is closed or delayed for any reason, a text alert will be sent to cell phones registered on NOVA Alert and a notice will be posted on the home page of the College’s website. In addition, a message will appear on our cable television station and on local radio and TV stations. The home page of the College’s website will always have the most reliable and up-to-date information about closures or delays.

Fun Policy

Most importantly…I want you to enjoy the class. I will learn as much from you as I hope you’ll learn from me. To this end, I sincerely appreciate any comments you may have about course content and welcome your suggestions on ways to improve this course for future classes. Welcome to class…have fun!

Cybersecurity Center

Visit www.nvcc.edu/cybersecurity for information on NOVA’s Cybersecurity programs. “Liking” the Facebook page at http://www.facebook.com/notifications.php#!/pages/Dr-Margaret-Leary-CyberWatch-Page/149995045038340 allows you to automatically receive information on cybersecurity competitions, scholarships, training opportunities, and other events – even after you have completed your studies at NOVA. Scholarly articles and journals relating to cybersecurity can also be found under “Student Resources” at the NOVA CyberCenter site.

 

Cybersecurity Opportunities

  1.  Free ISACA Membership. Students are eligible for a free ISACA Membership. Information can be obtained by emailing Margaret Leary at mleary@nvcc.edu . The student will need to be prepared to support NOVA’s cyber program, in exchange for the membership, at NOVA events, such as CyCon or the Hackathon. For additional information about ISACA visit: isaca.org
  2. Reduced ISSA-NOVA Membership. ISSA-NOVA is one of the largest chapters of the international ISSA organization (Information Systems Security Administrators). While no longer free, ISSA-NOVA reduces the $100 membership fee to only $30 for students. Students interested in joining should have myself or Brian Ngac validate their full-time status (it is required to be recommended by a member, with both of us being active members). The link at which they apply is https://app.smartsheet.com/b/form/70f8529a04004155b154d67e851435e4.
  3. All Cyber. This No. VA cyber organization meets every other Saturday at the Woodbridge campus in the Arts and Science Building, room 362, at 10AM. Students can tryout for the official NOVA Cyber team and network with other students and industry professionals. Information is located at https://allcyber.org
  4. National Cyber League. Students can also participate each semester in the National Cyber League competition. This is an individual competition that costs $25 per student. Students are provided with a scoring report at the end of the competition and several students show these reports to employers as a demonstration of the skills they have acquired. I expect registration to open in Feb. for the Spring season. I usually recommend that students start early in their academic tenure – ITN 260 is a good starting place. Again, they can practice with peers at the All Cyber meetings.
  5. National Cybersecurity Student Association. Sponsored by National CyberWatch Center, students can join this largest association of cybersecurity students. We also don’t have a chapter, and we should have, as one of the largest cybersecurity education programs in the country. Consider helping a student start a NOVA chapter for students. ?