COMPUTER AND INFORMATION SYSTEMS DEPARTMENT



INFS 3120 – Introduction to Computer Forensics

|Section: A | |

|Time: Mondays 6:00 to 8:50 p.m. | |

|Room: Hale 202 | |

INSTRUCTOR INFORMATION

INSTRUCTOR: Dr. G. Alan Davis OFFICE: Wheatley Center - #222

E-MAIL: davis@rmu.edu PHONE: 412.397.6440

WEBSITE:

(or via rmu.edu – search for “davis”)

OFFICE HOURS: Posted on

COURSE INFORMATION

COURSE MATERIAL:

Required Text: Guide to Computer Forensics and Investigations – Fifth Edition, by Nelson, Phillips, & Steuart. (Cengage Learning / Course Technology, Boston, MA, 2016)

COURSE DESCRIPTION:

INFS 3120 – Intro to Computer Forensics exposes the student to Computer Forensics and Investigation. This course presents methods to properly conduct a computer forensics investigation beginning with a discussion of ethics, while mapping to the objectives of the International Association of Computer Investigative Specialists (IACIS) certification. The course provides an overview of digital investigations and data recovery with emphasis on data presentation techniques and chain-of-evidence procedures. Current computer forensics tools are presented along with controls required for digital evidence acquisition.

PREREQUISITES --- INFS1020, INFS1030 or INFS1050

PRIMARY GOAL:

The primary goal of INFS 3120 Intro to Computer Forensics is to provide the student with an overview of the theory, best practices, and tools associated with acquiring and analyzing digital evidence.

OBJECTIVES:

At the completion of the course, the student will be able to:

Topic 1: Computer Forensics and Investigations as a Profession

• Compare and contrast Computer Forensics with other related disciplines

• Describe how to prepare for a Computer Investigation

Topic 2: Understanding Computer Investigations

• Describe the systematic approach to computer investigations

• Describe computer forensics workstations, labs, and software

• Explain how to conduct an investigation and complete a case

Topic 3: The Investigator’s Office and Laboratory

• Explain computer forensics lab certification requirements

• Differentiate different forensic lab layouts

• Create a business case for developing a forensics lab

Topic 4: Data Acquisition

• Understand storage formats for digital evidence

• Determine the best acquisition method

• Plan for contingencies in image acquisition

• Validate data acquisition

• Perform RAID data acquisition

• Use remote network acquisition tools

• Use other forensics acquisition tools

Topic 5: Processing Crime and Incident Scenes

• Describe how to collect evidence in private sector and public sector scenes

• Explain how to secure a crime scene

• Explain how to seize and secure digital evidence at the scene

• Describe how to identify, secure, catalog, & store digital evidence

• Explain how to obtain a digital hash

Topic 6: Working with Windows and DOS Systems

• Explore Microsoft file structures

• Examine NTFS disks

• Examine the Windows Registry

• Describe Microsoft boot tasks

• Describe MS-DOS startup tasks

Topic 7: Current Computer Forensics Tools

• Evaluate computer forensics tool needs

• Understand computer forensics software tools

• Understand computer forensics hardware tools

• Validate & test forensics software

Topic 8: Recovering Graphics Files

• Recognize various image files

• Understand data compression

• Locate and recover image files

• Analyze image file headers

• Identify copyright issues with graphics

Topic 9: E-mail Investigations

• Explore the roles of client and server in e-mail

• Investigate e-mail crimes and violations

• Use e-mail computer forensics tools

Topic 10: Report writing for high-tech investigations

• Understand the importance of reports

• Cite guidelines for writing reports

• Generate findings with forensic software tools

Topic 11: Expert Testimony in High-Tech Investigations

• Prepare for testimony

• Testify in court

• Prepare for a deposition or hearing

• Prepare forensics evidence for testimony

Topic 12: Ethics for the Expert Witness

• Apply ethics & codes to expert witnesses

• Cite organizations with codes of ethics

• Describe ethical difficulties in expert testimony

COURSE STRUCTURE:

The methods used in INFS 3120 – Intro to Computer Forensics include lecture and classroom discussion through examples and demonstration. At times, the instructor may make use of a computer projector and/or presentation software in a classroom lecture. The course will also include hands-on computer lab instruction with current software tools used in digital forensics investigations.

COVID-19 INFORMATION

REQUIREMENTS FOR MASKS AND CLASSROOM SEATING:

All students must wear appropriate masks (no shirts or bandannas) covering their mouth and nose while in the classroom. All students must sit in marked seats to allow for necessary physical spacing in the classrooms. Instructors will ask students who are in non-compliance with these requirements to immediately comply. If a student does not comply immediately, the campus police will be called. The student will be removed, and a Student Conduct report filed. The student will be marked absent from class.

COVID-19 ATTENDANCE POLICY

As a result of the Covid-19 pandemic, all students are encouraged to remain home or in their residence hall room when experiencing any signs of illness. Students who test positive for the virus or who must be quarantined after exposure to the virus will be excused from class attendance. Instructors will be notified by the Dean of Students Office if a student is in quarantine or has contracted the virus. A student who is absent due to observed symptoms of Covid-19, is in quarantine due to suspected exposure, or who has a confirmed case of Covid-19, is entitled to makeup work missed if the student fulfills the instructor notification requirements of the policy.

Students are not to be penalized for any missed assignments, projects, examinations, tests, etc. or to have their daily grades automatically reduced when covered by this policy. While the faculty member must allow the student to "make up" or complete any assignments, etc., that were missed due to officially sanctioned obligations, faculty members are under no obligation to tutor or otherwise provide missed instruction. Faculty will determine when make-up exams are scheduled and when missed assignments are due. Students must notify the Dean of Students Office at 412-397-6483 to be excused from class attendance and for this policy to be in effect. Instructors will be notified by the Dean of Students Office.

WHAT TO DO IF YOU HAVE SYMPTOMS OR MAY HAVE BEEN EXPOSED TO COVID-19

Students who have symptoms or think they have been exposed to COVID-19 should immediately leave the classroom and call UPMC MyHealth@School Center at 412-397-6220 for phone screening/triage during business hours. The student should not visit the clinic. If the Center is closed, the student should contact his/her own medical provider for assistance, or the UPMC Anywhere Care App - Virtual Urgent Care (please note: fees apply) and call the MyHealth@School Center on the next business day.

WHAT TO DO IF YOU TEST POSITIVE FOR COVID-19

Students who test positive for COVID-19 should immediately notify the Dean of Students Office at 412-397-6483, and not return to class until they have been cleared to return. The Office of Student Life will notify instructors when students are cleared to return to class. No student should return to class until they are cleared to return.

WHAT IF RMU CAMPUS CLOSES DUE TO COVID-19?

If the RMU campus must be closed due to COVID-19, this class will continue under its normal schedule as a fully-online class. All class materials will continue to be available within Blackboard. Unless otherwise noted, all assignment due dates and exam dates will remain as scheduled. Class sessions will continue as asynchronous (i.e., not live) and/or synchronous (i.e., live) during normal class meeting times.

STUDENT RESPONSIBILITIES

REQUIRED FOR CLASS:

• Access to Forensic Toolkit (FTK) software via Amazon AppStream virtual desktop

• Guide to Computer Forensics and Investigations textbook

READING ASSIGNMENTS:

The student is responsible for doing all the respective reading assignments prior to the scheduled lectures.

WRITTEN ASSIGNMENTS:

The student is responsible for completing all assignments within the allotted periods of time as outlined by the instructor. Written assignment due dates will be established either in the syllabus or provided to the students when relevant lectures are completed.

Important notes:

1. The student is responsible to back up his/her valuable files appropriately

2. The student must protect his/her assignments, files, diskettes, etc. from copying by other students and against viruses.

3. Significant time outside of class is necessary to work on the various components of the written assignments.

FOLLOW-UP:

IIf a student does not fully understand a lecture subject or assignment and would like further explanation; the student is responsible to raise the topic(s) for discussion in class. If further explanation is required on an individual basis, the student is encouraged to see the instructor during office hours or make an appointment.

A

ASSIGNMENT DUE DATES:

R

It is the student’s responsibility complete assignments when they are due. Due dates are announced during class and clearly posted in the weekly schedule at the end of this syllabus. Assignments that are submitted after due dates will be PENALIZED 10% for each day assignment is late (NO EXCEPTIONS). It is the responsibility of the student (not the instructor) to stay current on class assignments.

ATTENDANCE:

R

Attendance will be taken at the beginning of each class period. If a student is absent from a class session, that student is responsible for turning in (on time) any assignments that are due or completed/collected during that class session. It is the responsibility of the student (not the instructor) to stay current on class assignments. (See also COVID-19 ATTENDANCE POLICY, posted previously in this syllabus).

MMAKE-UP EXAMINATIONS:

If a student is not present for a scheduled examination, the student MUST provide written documentation (i.e., from a medical doctor, from an employer, etc.) as to why the examination was missed.

If proper documentation is not provided, the student WILL NOT be permitted to take a “make-up” examination.

CELL PHONE USE DURING CLASS:

Cell/mobile phone use is NOT permitted during class. If you must take an emergency call or answer an emergency text message, please leave the classroom and make your call or text in the hallways of the building.

Cell/mobile phone use is NOT permitted during in-class examinations. You may NOT access a cell/mobile phone during an in-class examination. Cell/mobile phone use during an examination will result in a grade of 0% for that specific examination. You may NOT use a cell/mobile phone during an in-class examination for language translation. If language translation is necessary during an examination, please bring a printed translation dictionary or consult the Center for Student Success at 412-397-6862 or center4success@rmu.edu for language support services.

You may also ask the instructor to define or clarify any word in an examination question.

EVALUATION CRITERIA:

Your final grade will be calculated using weighted percentages, with each of the following categories contributing, as listed:

Exam 1 15%

Exam 2 15%

Final Exam 15%

Individual Progress Report 10%

Forensic Report (Individual) 20%

Lab Assignments 20%

Class Attendance/Participation 5%

100%

Your final grade will be calculated as follows:

GRADING SCALE:

92.51 – 100 % A

89.51 - 92.5 A-

86.51 - 89.5 B+

82.51 - 86.5 B

79.51 - 82.5 B-

76.51 - 79.5 C+

69.51 - 76.5 C

59.51 - 69.5 D

0.0 - 59.5 F

ACADEMIC INTEGRITY POLICY

The fundamentals of Academic Integrity are valued within the Robert Morris University community of scholars. All Students are expected to understand and adhere to the standards of Academic Integrity as stated in the RMU Academic Integrity Policy, which can be found on the RMU website at rmu.edu. Any student who violates the Academic Integrity Policy is subject to possible judicial proceedings which may result in sanctions as outlined in the policy. Depending upon the severity of the violations, sanctions may range from receiving a zero on an assignment to being dismissed from the university. If you have any questions regarding the policy, please consult your course instructor.

PLAGIARISM POLICY

Plagiarism, taking someone else's words or ideas and representing them as your own, is expressly prohibited by Robert Morris University.  Good academic work must be based on honesty.  The attempt of any student to present as his or her own work that which he or she has not produced is regarded by the faculty and administration as a serious offense.  Student academic dishonesty includes but is not limited to: 

• Copying the work on another during an examination or turning in a paper or an assignment written, in whole or in part, by someone else;

• Copying from books, magazines, or other sources, including Internet or other electronic databases like ProQuest and InfoTrac, or paraphrasing ideas from such sources without acknowledging them;

• Submitting an essay for one course to a second course without having sought prior permission from your instructor;

• Giving a speech and using information from books, magazines, or other sources or paraphrasing ideas from sources without acknowledging them;

-Knowingly assisting others in the dishonest use of course materials such as papers, lab data, reports and/or electronic files to be used by another student as that student's own work.

• NOTE on team or group assignments:  When you have an assignment that requires collaboration, it is expected that the work that results is credited to the team unless individual parts have been assigned.  However, the academic integrity policy applies to the team as well as to its members.  All outside sources must be credited as outlined above.

ACCOMMODATIONS FOR STUDENTS WITH DISABILITIES

Robert Morris University welcomes students with disabilities into all of the University's educational programs. If you have (or think you may have) a disability that would impact your educational experience in this class, please contact Services for Students with Disabilities (SSD) to schedule a meeting with the SSD Coordinator, Molly Hill. Ms. Hill will confidentially discuss your needs, review your documentation, and determine your eligibility for reasonable accommodations. To learn more about SSD and available supports, please visit the SSD Website at rmu.edu/ssd, email ssd@rmu.edu, call (412)-397-6884, or visit the SSD office, located in Nicholson Center, Room 280.

FINAL NOTE TO STUDENTS

The instructor reserves the right to modify any schedule or policy in this class syllabus at any time throughout the class. Modifications may be made as necessary to improve the learning experience or learning environment of the student. Any such modifications will be announced during regular class or exam meeting times.

Finally, any (anonymous) data extracted from the course may be used for research purposes.

GENERAL TOPIC OUTLINE

| | | | |

|Class |DESCRIPTION |EST. TIME |REFERENCE TO TEXTBOOK MATERIALS, TUTORIALS, |

|Date | |(based on a 15 week |or READING SUPPLEMENTS* |

| | |session) | |

| | | | |

|1 |Intro to class, review of syllabus, schedule, and |1 week |Syllabus |

|(1/10) |assignments | | |

| | | |Read Chapter 1 |

| | | | |

| | | |FTK Imager Lab (in-class) |

| | | |C-Cleaner Lab (in class) |

| | | | |

|2 |Understanding the Digital Forensics Profession and|1 week |Finish Chapter 1 |

|(1/17) |Investigations | | |

| | | |FTK Lab 1 Due – Create new case, Backup / |

| | | |Restore Case |

| | | | |

| | | | |

|3 |The Investigator’s Office and Laboratory |1 week |Read Chapter 2 |

|(1/24) | | | |

| | | |FTK Lab 2 Due – Basic Navigation and |

| | | |Bookmarks in FTK |

| | | | |

|4 |Data Acquisition |1 week |Read Chapter 3 |

|(1/31) | | | |

| | | |FTK Lab 3 Due – Index and Live Searches in |

| | | |FTK |

| | | | |

|5 |Exam Review & Exam |1 week |Exam 1 (Chapters 1 – 3 & FTK) |

|(2/7) | | | |

| | | |Receive Case / Start Analysis for Individual |

| | | |Report (due Week 14) |

| | | | |

|6 |Processing Crime and Incident Scenes |1 week |Read Chapter 4 |

|(2/14) | | | |

| | | |Start Shakespeare Lab (in-class) |

| | | | |

|7 |Working with Windows & CLI Systems |1 week |Read Chapter 5 |

|(2/21) | | | |

| | | |FTK Shakespeare Lab Due |

| | | | |

|8 |Current Computer Forensics Tools |1 week |Read Chapter 6 |

|(2/28) | | | |

| | | |Start Registry Viewer Lab |

| | | |(in-class) |

| | | | |

|3/7 |SPRING BREAK – No Classes |1 week | |

| | | | |

|9 |Recovering Graphics Files |1 week |Read Chapter 8 |

|(3/14) | | | |

| | | |FTK Lab 4 Due – Registry Viewer Forensics |

| | | | |

|10 |Exam Review & Exam |1 week |Exam 2 |

|(3/21) | | |(Chapters 4, 5, 6, 8 & FTK) |

| | | | |

| | | |Graphic File Recovery Lab |

| | | |(in-class – if time) |

| | | | |

| | | |Start FTK Lab 5 – PRTK |

| | | |(in-class) |

| | | | |

|11 |E-mail & Social Media Investigations |1 week |Read Chapter 11 |

|(3/28) | | | |

| | | |FTK Lab 5 Due – Password Recovery Toolkit |

| | | |(PRTK) |

| | | | |

|12 |Report Writing for High-Tech Investigations |1 week |Read Chapter 14 |

|(4/4) | | | |

| | | |Individual Progress Report Due |

| | | | |

| | | | |

|13 |Expert Testimony in High-Tech Investigations |1 week |Read Chapter 15 |

|(4/11) | | | |

| | | |FTK Lab 6 Due – FTK Case Log Report |

| | | | |

|14 |Ethics for the Expert Witness |1 week |Read Chapter 16 |

|(4/18) | | | |

| | | |Individual Forensic Report Due |

| | | | |

|15 |Final Exam |1 week |Final Exam |

|Finals | | |(Chapters 11, 14, 15, 16 & FTK) |

|Week |Professor & Course Evaluations | | |

| | | | |

| |Class wrap-up | | |

* - PLEASE NOTE: Textbook chapters 7, 9, 10, 12, and 13 have been omitted and, therefore, are NOT covered in this course. You are welcomed to read these chapters if you want to increase your knowledge in Computer Forensics and augment the topics covered in the course. You are also encouraged to enroll in INFS3191 – Mobile Forensics and INFS4180 – Network Forensics, which cover many of the topics within the omitted chapters.

YOU CONTROL YOUR GRADE!!!

You are in complete control of your grade . . .

1. I do NOT “give” grades; I only report the grade that you earn in the course.

2. I do NOT allow “extra credit” assignments to raise your grade.

3. I do NOT allow “do overs” on assignments or exams.

4. I do NOT allow the use of cell phones during in-class examinations.

5. I DO penalize for each day an assignment is late; therefore, turn in assignments on time.

6. I am happy to meet with any student who does not understand the material or an assignment. I am available during regular office hours, or by appointment.

7. If you do not earn the grade that you wanted in the class, blame the person in the mirror!

Some of my favorite quotations related to education . . .

• Educators open the door, but you must enter by yourself. – Chinese Proverb

• I never teach my pupils, I only provide the conditions in which they can learn.

– A. Einstein

• If you think education is expensive, try ignorance. – D. Bok

• You pay for your education . . . but you must earn your grade! – G. Davis

• I have never “failed” a student . . . students always fail on their own! – G. Davis

-----------------------

COMPUTER AND INFORMATION SYSTEMS DEPARTMENT

─ Course Syllabus ─

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download