| |
Course Syllabus
Description:
This course covers the central topics in detection and prevention of computer crimes. It also
covers techniques and tools for the collecting and preservation of evidence of computer crimes.
General legal issues such as handling evidence, chain of custody, admissibility, and working with
law enforcement will be covered. There will be several hands-on exercises in the security lab
examining images from actual compromised machines to give the student experience with each stage
of an investigation.
Course Goals:
The goal of the course is to provide a solid foundation to deal with all aspects of computer crimes.
Student Work:
- Undergraduate: Written exercises will be given to students on a weekly or biweekly basis to be
handed in individually. There will be several hands-on exercises in the security lab examining
images from actual compromised machines to give the student experience with each stage of an
investigation.
- Graduate: In addition to all the undergraduate requirements, graduate students will be given
additional written exercises of a more advanced nature, and will have to do a major project
and presentation.
- Tests: One in-class midterm exam and one final exam (both open book, open notes).
Topics
Week 1: Introduction to Incident Response, Advanced Preparation for Incident Response and
Evidence Preservation, Initial Assessment
Week 2: Handling Evidence, Chain of Custody, Admissibility Internet Research, Tracing IP,
MAC, E-Mail addresses
Week 3: Windows NT/2000 Registry Basics, File System Structure, Processes, Accounts,
Windows NT/2000 Forensics Tools and Toolkits
Week 4: Initial Response to a Windows NT/2000 Incident - Volatile Data Collection;
Windows NT/2000 Incident Investigation - Collecting Evidence
Week 5: Investigating a Windows NT/2000 Incident - Case Studies
Week 6: UNIX File System Structure, Inodes, MAC times, Processes, Accounts, Forensics
Tools and Toolkits
Week 7: Initial Response to a UNIX Incident - Volatile Data Collection;
UNIX Incident Investigation - Collecting Evidence
Week 8: Considerations for Differing Types of UNIX; Investigating a UNIX
Incident - Case Studies
Week 9: Review of UDP, TCP, ICMP, and IP and Investigating Routers;
Network Forensics - Intrusion Detection
Week 10: Network Forensics - Intrusion Detection (part 2) and HoneyPots
Week 11: Examining Malicious Programs and Code, Analyzing and Interpreting Data
Week 12: Developing Incident Response Procedures and Supporting Policies,
Working with Law Enforcement
Week 13: Network Surveillance, Traps and Trace
Week 14: The Honeynet Project; Case Studies
Basic Bibliography
Primary text:
- Incident Response: Investigating Computer Crime by Kevin Mandia and Chris Prosise.
Osborne/McGraw-Hill, 2001, 0-07-213182-9.
Alternative texts:
- Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet
by Eoghan Casey, Academic Press, 2000; ISBN: 0-12-162885-X
- Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios
by Mike Schiffman, Osborne/McGraw-Hill,2001, 0-07-219384-0
- Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the
Blackhat Community, by The Honeynet Project, Addison-Wesley, 2002, 0-201-74613-1
|
|
|