6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 CYBER FORENSICS (W/LAB) Course Syllabus Course Number: CSFS-0020 OHLAP Credit: Yes OCAS Code: 8134 Course Length: 130 Hours Career Cluster: Information Technology Career Pathway: Network Systems Career Major(s): Cyber Security Forensics Specialist Pre-requisite(s): Course Description: Secure Electronic Commerce Students will learn procedures on tracking, and patching security holes after an incident has occurred. This will include seizure of equipment, analysis of confiscated materials, and follow up procedures relating to the incident. Textbooks: Guide to Computer Forensics and Investigations 3 rd Edition; Nelson, Phillips, Enfinger, and Steuart; Course Technology Course 1. Computer Forensics and Investigations as a Profession: This topic introduces you to computer forensics and investigations and discusses some of its problems and concerns. a. Define digital forensics. b. Describe how to prepare for digital evidence investigations and explain the differences between law enforcement agency and corporate investigations. c. Explain the importance of maintaining professional conduct. 2. Understanding Computer Investigations: This topic explains how to manage a computing investigation. You will learn about the problems and challenges that examiners face when preparing and processing investigation, including the ideas and questions they must consider. a. Explain how to prepare a computer investigation. b. Apply a systematic approach to an investigation. c. Describe procedures for corporate high-tech investigations. d. Explain requirements for data recovery workstations and software. e. Describe how to conduct an investigation. f. Explain how to complete and critique a case. 3. The Investigator s Office and Laboratory: This topic details what you need to set up an effective computing-forensics laboratory, which is where you examine most of the evidence data that you acquire for an investigation. a. Describe certification requirements for computer forensics labs. b. List physical requirements for a computer forensics lab. c. Explain the criteria for selecting a basic forensic workstation. d. Describe components used to build a business case for developing a forensics lab. Revised: 01/14/15 Page 1 of 7
4. Data Acquisition: In this topic, you will learn how to acquire digital evidence from electronic media. a. List digital evidence storage formats. b. Explain ways to determine the best acquisition method. c. Describe contingency planning for data acquisitions. d. Explain how to use acquisition tools. e. Describe how to validate data acquisitions. f. Describe RAID acquisition methods. g. Explain how to use remote network acquisition tools. h. List other forensics tools available for data acquisitions. 5. Processing Crime and Incident Scenes: This topic describes the differences between the needs and concerns of a business and a law enforcement organization, and then discusses incident-scene processing for both the corporate investigator and the law enforcement investigator. a. Explain the rules for digital evidence. b. Describe how to collect evidence at private-sector incident scenes. c. Explain guidelines for processing law enforcement crime scenes. d. List the steps in preparing for an evidence search. e. Describe how to secure a computer incident or crime scene. f. Explain guidelines for seizing digital evidence at the scene. g. List procedures for storing digital evidence. h. Explain how to obtain a digital hash. i. Review a case to identify requirements and plan your investigation. 6. Working with Windows and DOS Systems: This topic reviews how data is stored and managed on Microsoft operating systems. In this chapter, you examine the tasks each operating system performs when it starts so you can avoid altering evidence when you examine data on a disk. a. Explain the purpose and structure of file systems. b. Describe Microsoft file structures. c. Explain the structure of NTFS disks. d. List some options for decrypting drives encrypted with whole disk encryption. e. Explain how the Windows Registry works. f. Describe Microsoft startup tasks. g. Describe MS-DOS startup tasks. h. Explain the purpose of a virtual machine. 7. Current Computer Forensics Tools: This topic explores the software and hardware tools you use during computing investigations and forensic analysis. a. Explain how to evaluate needs for computer forensics tools. b. Describe available computer forensics software tools. c. List some considerations for computer forensics hardware tools. d. Describe methods for validating and testing computer forensics tools. 8. Macintosh and Linux Boot Processes and File Systems: In addition to Linux and Macintosh operating systems, this topic discusses media and hardware such as CDs, Integrated Device Electronics (IDE) hard drives, small computer system interface (SCSI) hard drives, SATA drives, and the redundant array of independent disks (RAID) configuration. a. Explain Macintosh file structures and the boot process. b. Explain UNIX and Linux disk structures and boot processes. c. Describe other disk structures. Revised: 01/14/15 Page 2 of 7
9. Computer Forensic Analysis and Validation: This topic explains how to apply your computer forensics skills and techniques to a computing investigation, including what data to collect and analyze. Validation with hex editors and forensics software is explained. a. Determine what data to analyze in a computer forensics investigation. b. Explain tools used to validate data. c. Explain common data-hiding techniques. d. Describe methods of performing a remote acquisition. 10. Recovering Graphics Files: This topic begins with brief introductions to computer graphics and data compressions, and then explains how to locate and recover image files based on information stored in image file headers. a. Describe types of graphics file formats. b. Explain types of data compression. c. Explain how to locate and recover graphics files. d. Describe how to identify unknown file formats. e. Explain copyright issues with graphics. 11. Network Forensics: This topic covers tools and methods for conducting network investigations, performing live acquisitions, and reviewing network logs for evidence. It also examines using UNIX/Linux tools and the Honeynet Project s resources. a. Describe the importance of network forensics. b. Explain standard procedures for performing a live acquisition. c. Explain standard procedures for network forensics. d. Describe the use of network tools. e. Describe the goals of the Honeynet Project. 12. E-mail Investigations: This topic explains how e-mail works to send and retrieve messages via the Internet. It also reviews some specialized forensics tools. a. Explain the role of e-mail in investigations. b. Describe client and server roles in e-mail. c. Describe tasks in investigating e-mail crimes and violations. d. Explain the use of e-mail server logs. e. Describe some available e-mail computer forensics tools. 13. Cell Phone and Mobile Device Forensics: This topic covers investigation techniques and acquisition procedures for recovering data from cell phones and mobile devices. a. Explain the basic concepts of mobile device forensics. b. Describe procedures for acquiring data from cell phones and mobile devices. 14. Report Writing for High-Tech Investigations: This topic discusses the importance of report writing in examinations and offers guidelines on report content, structure, and presentation. Generating reports with forensics software tools is explored. a. Explain the importance of reports. b. Describe guidelines for writing reports. c. Explain how to use forensics tools to generate reports. 15. Expert Testimony in High-Tech Investigations: This topic explains how to become an expert witness and how to avoid problems when giving testimony. a. Explain guidelines for giving testimony as a technical/scientific or expert witness. b. Describe guidelines for testifying in court. c. Explain guidelines for testifying in dispositions and hearings. d. Describe procedures for preparing forensics evidence for testimony. Revised: 01/14/15 Page 3 of 7
16. Ethics for the Expert Witness: This topic provides guidance in the principles and practice of ethics for computer forensics investigators and examines other codes of ethics. a. Explain how ethics and codes apply to expert witnesses. b. Explain how other organizations codes of ethics apply to expert testimony. c. Describe ethical difficulties in expert testimony. 17. Scenario-based Projects: This topic provides the student with practical application of the knowledge and skills covered in the previous topics and courses. a. Complete a scenario-based project based on a corporate incident. b. Complete a scenario-based project based on a data recovery incident. c. Complete a scenario-based project based on a law enforcement incident. ODCTE Objectives TTC Additional Objectives for CF A. Computer Forensics and Investigations as a Profession 1. Define computer forensics 2. Describe how to prepare for computer investigations and explain the difference between law enforcement agency and corporate investigations 3. Explain the importance of maintaining professional conduct B. Understanding Computer Investigations 1. Explain how to prepare a computer investigation 2. Describe procedures for corporate high-tech investigations 3. Describe how to conduct an investigation 4. Apply a systematic approach to an investigation 5. Explain requirements for data recovery workstations and software 6. Explain how to complete and critique a case C. The Investigator's Office and Laboratory 1. Describe certification requirements for computer forensics labs 2. List physical requirements for a computer forensics lab 3. Explain the criteria for selecting a basic forensic workstation 4. Describe components used to build a business case for developing a forensics lab D. Data Acquisition 1. List digital evidence storage formats 2. Explain ways to determine the best acquisition method 3. Describe contingency planning for data acquisitions 4. Explain how to use acquisition tools 5. Explain how to validate data acquisitions 6. Describe RAID acquisition methods 7. Explain how to use remote network acquisition tools 8. List other forensic tools available for data acquisitions E. Processing Crime and Incident Scenes 1. Explain the rules for digital evidence 2. Describe how to collect evidence at private-sector incident scenes 3. Explain guidelines for processing law enforcement crime scenes 4. List the steps in preparing for an evidence search Revised: 01/14/15 Page 4 of 7
5. Describe how to secure a computer incident or crime scene 6. Explain guidelines for seizing digital evidence at the scene 7. List procedures for storing digital evidence 8. Explain how to obtain a digital hash 9. Review a case to identify requirements and plan your investigation F. Working with Windows and DOS Systems 1. Explain the purpose and structure of file systems 2. Describe Microsoft file structures 3. Explain the structure of New Technology File System (NTFS) disks 4. List some options for decrypting drives encrypted with whole disk encryption 5. Explain how the Windows Registry works 6. Describe Microsoft startup tasks 7. Describe MS-DOS startup tasks 8. Explain the purpose of a virtual machine G. Current Computer Forensics Tools 1. Explain how to evaluate needs for computer forensics tools 2. Describe available computer forensics software tools 3. List some considerations for computer forensics hardware tools 4. Describe methods for validating and testing computer forensics tools H. Macintosh and Linux Boot Processes and File Systems 1. Explain Macintosh file structures and the boot process 2. Explain UNIX and Linux disk structures and boot processes 3. Describe other disk structures I. Computer Forensic Analysis and Validation 1. Determine what data to analyze in a computer forensics investigation 2. Explain tools used to validate data 3. Explain common data-hiding techniques 4. Describe methods of performing a remote acquisition J. Recovering Graphics Files 1. Describe types of graphics file formats 2. Explain types of data compression 3. Explain how to locate and recover graphics files 4. Describe how to identify unknown file formats 5. Explain copyright issues with graphics K. Network Forensics 1. Describe the importance of network forensics 2. Explain standard procedures for performing a live acquisition 3. Explain standard procedures for network forensics 4. Describe the use of network tools 5. Describe the goals of the Honeynet Project L. E-mail Investigations 1. Explain the role of e-mail in investigations 2. Describe client and server roles in e-mail 3. Describe tasks in investigating e-mail crimes and violations 4. Explain the use of e-mail server logs 5. Describe some available e-mail computer forensics tools Revised: 01/14/15 Page 5 of 7
M. Cell Phone and Mobile Device Forensics 1. Explain the basic concepts of mobile device forensics 2. Describe procedures for acquiring data from cell phones and mobile devices N. Report Writing for High-Tech Investigations 1. Explain the importance of reports 2. Describe guidelines for writing reports 3. Explain how to use forensics tools to generate reports O. Expert Testimony in High-Tech Investigations 1. Explain guidelines for giving testimony as a technical/scientific or expert witness 2. Describe guidelines for testifying in court 3. Explain guidelines for testifying in depositions and hearings 4. Describe procedures for preparing forensics evidence for testimony P. Ethics for the Expert Witness 1. Explain how ethics and codes apply to expert witnesses 2. Explain how other organizations codes of ethics apply to expert testimony 3. Describe ethical difficulties in expert testimony Q. Scenario-based Project 1. Systems Security 2. Explain the security risks pertaining to system hardware and peripherals. 3. Implement security applications. 4. Access Control 5. Identify and apply industry best practices for access control methods. 6. Compare and implement logical access control methods. 7. Assessments & Audits 8. Organizational Security 9. Differentiate between and execute appropriate incident response procedures. 10. Identify and explain applicable legislation and organizational policies. Teaching Methods: The class will primarily be taught by the lecture and demonstration method and supported by various media materials to address various learning styles. There will be question and answer sessions over material covered in lecture and media presentations. Supervised lab time is provided for students to complete required projects. Grading Procedures: 1. Students are graded on theory and shop practice and performance. 2. Each course must be passed with seventy (70%)percent or better. 3. Grading scale: A=90-100%, B=80-89%, C=70-79%, D=60-69%, F=50-59%. Description of Classroom, Laboratories, and Equipment: nology Center campuses are owned and operated by nology Center School District No. 18. All programs provide students the opportunity to work with professionally certified instructors in modern, well-equipped facilities. Revised: 01/14/15 Page 6 of 7
Available Certifications/ College Credit The student may be eligible to take state, national or industry exam after completion of the program. College credit may be issued from Oklahoma State University-Okmulgee, Rogers State University or Tulsa Community College. See program counselor for additional information. College Credit Eligibility: The student must maintain a grade point average of 2.0 or better. Revised: 01/14/15 Page 7 of 7