Syllabus and Course Information



Network Forensic Analysis

MET CS 703 EL

Instructor

Stuart Jacobs, MSc, CISSP

Lecturer, Computer Science Department Metropolitan College Boston University

Office hours: One hour prior to class by prior arrangement

Office Address: 808 Commonwealth Ave., Room 250. Boston, MA 02215.

E-mail: sjjacobs@bu.edu

Course Description

This course provides an introduction to the methodology and procedures associated with digital forensic analysis in a network environment. Students will develop an understanding of the fundamentals associated with the topologies, protocols, and applications required to conduct forensic analysis in a network environment. Students will learn about the importance of network forensic principles, legal considerations, digital evidence controls, and documentation of forensic procedures. This course will incorporate demonstrations and laboratory exercises to reinforce practical applications of course instruction and will require an independent research paper related to the course topic.

Prerequisites

Knowledge of information technology fundamentals (computer hardware, operating systems, applications and networking) is required. Successful completion of CS 625, CS 535, or permission of the instructor is also required.

Required Course Books

• Computer Forensics : Investigating Network Intrusions and Cyber Crime, EC-Council, ISBN-13: 978-1-4354-8352-1, ISBN-10: 1-4354-8352-9

• Computer Forensics : Investigating Wireless Networks and Devices, EC-Council, ISBN-13: 978-1-4354-8353-8, ISBN-10: 1-4354-8353-7

• Handbook of Digital Forensics and Investigations, Eoghan Casey ed., Elsevier Academic Press,

ISBN 13: 978-0-12-374267-4

These textbooks can be purchased from Barnes and Noble at Boston University.

Courseware

This course uses Online Campus (Blackboard). Once the course starts all students must use the Online Campus Dashboard internal messages service. Students are required to use Online campus:

• for reading assignments beyond text book assigned reading,

• Submitting homework assignments,

• Submitting lab exercises,

• Taking on-line quizzes,

• Participating in discussion threads,

• Taking the on-line final examination and practice final exam, and

• All course related email correspondence.

Class Policies

1) Attendance & Absences

• Students are required to attend the four scheduled on-campus lectures (9/5, 10/3. 11/7, 12/5) and the final exam on 12/12.

• Students must notify the instructor in advance if unable to attend any on-campus lecture

2) Assignment, Lab Exercise and Discussion Completion & Late Work

• Homework assignments are mandatory, must be completed and submitted in a timely manner, and are required to be submitted via Online Campus for this course. For each day after the submission date a homework assignment is due will result in a penalty of 3 points. Homework assignments passed in that are over 5 days late will receive a grade of zero (0). If a student will be unable to submit an assignment by its due date, the student must contact the instructor in advance to avoid the late submission penalty.

• Lab exercises: are mandatory, must be completed and submitted in a timely manner, and are required to be submitted via Online Campus for this course. For each day after the submission date a lab exercise is due will result in a penalty of 3 points. Lab exercises passed in that are over 5 days late will receive a grade of zero (0). If a student will be unable to submit a Lab exercise by its due date, the student must contact the instructor in advance to avoid the late submission penalty.

• Student postings to discussion topic after the listed closing dates will not be counted when calculating a student’s discussion grades.

3) Academic Conduct Code – Cheating and plagiarism will not be tolerated in any Metropolitan College course. Such activities/behavior will result in no credit for the assignment or examination and may lead to disciplinary actions. Please take the time to review the Student Academic Conduct Code:

.

Such activities/behavior includes copying (even with modifications) of another student’s work or letting your work to be copied. Your participation in interactions with the instructor and your classmates is encouraged, but the work you submit must be your own. Collaboration is not permitted.

Class Meetings, Lectures, Assignments, Lab Exercises & Examinations

The course will include four (4) class sessions held at the Boston University campus. The class session will include lectures, laboratory exercises, and an interactive exchange of course related concepts and materials. These sessions also provide students with the opportunity to interact with other students and the course instructor. The proposed class session dates are listed below (subject to change based on course and instruction requirements):

|On-campus class session |Will occur on |

|Session 1 |September 5, 2015 between 1 PM and 4 PM EDT |

|Session 2 |October 3, 2015 between 1 PM and 4 PM EDT |

|Session 3 |November 7, 20153 between 1 PM and 4 PM EST |

|Session 4 |December 5, 2015 between 1 PM and 4 PM EST |

|Final Exam |December 12, 2015 between 1 PM and 4 PM EST |

Students are expected to read the documents listed in the Study Guide prior to each face-to-face session. These documents can be downloaded from the Blackboard Discussion ‘From your Instructor’ area. We will be discussion each document that is assigned to a session.

Failure to read these documents prior to each session will negatively affect your Discussion grades.

On-line Live sessions

• There will be a number of one hour on-line sessions, in addition to on-campus meetings identified above, which will be held on:

Thursday evening on 9/17, 10/1, 10/15, 10/29, 11/12, and 12/10 at 7:00 PM ET

During these on-line sessions I will hold a question & answer period.. Attendance is not required at these sessions but highly recommended. All on-line sessions will be recorded and archived. The archived recordings will be accessible from the Online Campus Dashboard under the heading “Live Classroom (Question & Answer) Sessions”.

Assignments

• All homework assignments are identified within the Online campus Study Guide.

• File names for assignment documents should be:

CS703-HW-.doc

An example assignment document file name is:

CS703-HW5-Jacobs.doc

Student submissions which fail to follow this direction will have 5 points deducted!

• Student assignment submissions must be no more than 4 pages in length, be single spaced, use 12 point Times Roman type font and 1” margins on all sides. Student submissions which fail to follow this direction will have 5 points deducted!

• Include the file name in the header and a page number in the footer of you assignment submission document. Student submissions which fail to follow this direction will have 5 points deducted!

• Title cover pages are not required and should not be used;

• Assignment submission documents MUST be in Word 2003 or Word 2007 file formats that are NOT encoded in XML;

• Quoted material and citations must follow the American Psychological Association (APA) format with a reference section at the end of a student’s submitted work. Please refer to the web site for guidance on following the APA style guide.

• Students are required to comply with the directions contained within the document

APA Criteria for Course.pdf

whenever the work of others is used as part of a student’s assignment submission. Failure to do so will result in points being deducted for the assignment grade.

• Wikipedia is a useful starting point for finding information about a subject BUT NOT an acceptable direct reference source. One should only reference or quote from primary (source) documents.

Lab Exercises

• Lab exercises(Hands-on Projects) are identified within the Assignment description document for each course module.

• File names for lab exercise documents should be:

CS703-LAB-.doc

An example lab exercise document file name is:

CS703-LAB5-Jacobs.doc

Student submissions which fail to follow this direction will have 5 points deducted!

• Students should enter their lab exercise answers direct within each lab exercise document and then submit the completed document appropriately renamed as stated above;

• Lab exercise submission documents MUST be in Word 2003 or Word 2007 file formats that are NOT encoded in XML.

Student Work Due Dates

| |Submission Due Date without Penalty |Last Allowed Submission Date with Late Penalty |

|Assignment 1 |9/19 |924 |

|Assignment 2 |10/3 |10/8 |

|Assignment 3 |10/24 |10/29 |

|Assignment 4 |11/14 |11/19 |

|Assignment 5 |11/28 |11/19 |

|Assignment 6 |11/12 |Late not allowed |

|Quiz 1 |9/19 |Late not allowed |

|Quiz 2 |10/3 |Late not allowed |

|Quiz 3 |10/24 |Late not allowed |

|Quiz 4 |11/14 |Late not allowed |

|Quiz 5 |11/28 |Late not allowed |

|Quiz 6 |11/12 |Late not allowed |

|Discussion 1 |9/19 |Late not allowed |

|Discussion 2 |10/3 |Late not allowed |

|Discussion 3 |10/24 |Late not allowed |

|Discussion 4 |11/14 |Late not allowed |

|Discussion 5 |11/28 |Late not allowed |

|Discussion 6 |12/12 |Late not allowed |

|Lab Exercise 1 |10/3 |10/8 |

|Lab Exercise 2 |10/24 |10/29 |

|Lab Exercise 3 |11/14 |11/19 |

|Lab Exercise 4 |11/28 |12/3 |

Study Guide

|On campus Face-to-face Session 1 |

|Meeting Date |9/5 between 1pm and 4pm hours ET |

|Preparatory Reading |Association of Computing Machinery (1992) ACM code of ethics and professional conduct. Communications of the ACM, |

| |35(5), pp. 94-99, |

|To be read prior to |(file: ACM code of ethics and professional conduct.pdf) |

|attending session |Anderson, R.E., Johnson, D.G., Gotterbarn, D., & Perrolle, J. (1993) Using the New ACM Code of Ethics in Decision |

| |Making. Communications of the ACM, 36(2), pp. 98-107, |

| |(file: p98-anderson.pdf) |

| |Hofstede, R., Celeda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., & Pras, A., (2014). Flow Monitoring |

| |Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE Communications Surveys & Tutorials, |

| |16(4), pp.2037-2064. doi: 10.1109/COMST.2014.2321898, |

| |(file: Flow Monitoring Explained- From Packet Capture.pdf) |

| |McRee, R. (2013, August) C3CM: Part 1 – Nfsight with Nfdump and Nfsen. ISSA Journal, pp. 29-32 |

| |(file: C3CM Part 1 - Nfsight with Nfdump and Nfsen.pdf) |

| |Nehinbe, J. O. (2010) Log Analyzer for Network Forensics and Incident Reporting. Intelligent Systems, Modelling and |

| |Simulation, International Conference on, pp. 356-361 |

| |(file: Log Analyzer for Network Forensics.pdf) |

| |Reith, M., Carr, C., & Gunsch, G. (2002) An Examination of Digital Forensic Models. International Journal of Digital |

| |Evidence, 1(3), pp. 1-12 |

| |(file: An Examination of Digital Forensic Models.pdf) |

| |Willson, D. (2013, August) Legal Issues of Cloud Forensics. ISSA Journal, pp. 25-28 |

| |(file: Legal Issues of Cloud Forensics.doc) |

|Module 1 Study Guide and Deliverables |

|Readings |Investigating Network Intrusions and Cyber Crime Preface and Chapter 1 |

| |Investigating Network Intrusions and Cyber Crime Chapter 2 |

| |Handbook of Digital Forensics and Investigations Chapter 1 |

| |Handbook of Digital Forensics and Investigations Chapter 2 |

| |Blackboard Module 1 Text pages |

|Discussions |Please complete the Introduction Discussion before you continue in the course. |

| |Discussion 1 postings due 9/19 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 1 is due 9/19 at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 1 is due 9/19 at 6:00 AM (0600 hours) ET |

|Lab exercises |There is no Lab Exercise for this module |

|Module 2 Study Guide and Deliverables |

|Readings |Investigating Network Intrusions and Cyber Crime Chapter 3 |

| |Investigating Network Intrusions and Cyber Crime Chapter 4 |

| |Handbook of Digital Forensics and Investigations Chapter 10 |

| |Blackboard Module 2 Text pages |

|Discussions |Discussion 2 postings due 10/3 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 2 due 10/3 at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 2 due 10/3 at 6:00 AM (0600 hours) ET |

|Lab exercises |Lab Exercise 1 - Windows 7 Logs due 10/3 at 6:00 AM (0600 hours) ET |

|On campus Face-to-face Session 2 |

|Classroom Meeting |10/3 between 1pm and 4pm hours ET |

|Preparatory Reading |Divyesh, G.D.D & Nagoor, M.A.R. (2014). Forensic Evidence Collection by Reconstruction of Artifacts in Portable Web |

| |Browser. International Journal of Computer Applications, 91(4), pp. 32-35., |

|To be read prior to |(file: Forensic Evidence Collection by Reconstruction.pdf) |

|attending session |Dormann, W. & Rafail, J. (2011) Securing your web browser. CERT, Software Engineering Institute Carnegie Mellon |

| |University, pp. 1-18, |

| |(file: Securing your web browser.pdf) |

| |Dukes, L., Yuan, X., & Akowuah, F. (2013, April). A case study on web application security testing with tools and |

| |manual testing. In Southeastcon, 2013 Proceedings of IEEE, pp. 1-6., |

| |(file: A Case Study on Web Application Security Testing.doc) |

| |Marco Tabini (2011) Learn the basics of Web browser security. , pp. 1-2, |

| |(file: Learn the basics of Web browser security_Security_Macworld.pdf |

| |Martellaro, J. (2011) The State of Browser Security. The Mac Observer, pp. 1-3, |

| |(file: The State of Browser Security 2011 Analysis.pdf) |

| |Mylonas, A., Tsalis, N., & Gritzalis, D. (2013). Evaluating the manageability of web browsers controls. In Security |

| |and Trust Management, pp. 82-98., |

| |(file: Evaluating the manageability of web browsers controls.pdf) |

| |Webdevout (2011) Web Browser Security Summary. pp. 1-8, |

| |(file: Web Browser Security Summary.pdf) |

| |Gugelmann, D., Gasser, F., Ager, B., & Lenders, V. (2015). Hviz: HTTP (S) traffic aggregation and visualization for |

| |network forensics. Digital Investigation, 12, S1-S11. |

| |file: HTTPS traffic aggregation and visualization.pdf) |

|Module 3 Study Guide and Deliverables |

|Readings |Investigating Network Intrusions and Cyber Crime Chapter 5 |

| |Investigating Network Intrusions and Cyber Crime Chapter 6 |

| |Investigating Network Intrusions and Cyber Crime Chapter 7 |

| |Blackboard Module 3 Text pages |

|Discussions |Discussion 3 postings due 10/24 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 3 due 10/24 at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 3 due 10/24 at 6:00 AM (0600 hours) ET |

|Lab exercises |Lab exercise 2 - Windows Host Intrusion Detection due 10/24 at 6:00 AM (0600 hours) ET |

|Module 4 Study Guide and Deliverables |

|Readings |Investigating Wireless Networks and Devices Chapter 1 |

| |Investigating Wireless Networks and Devices Chapter 2 |

| |Handbook of Digital Forensics and Investigations Chapter 11 |

| |Blackboard Module 4 Text pages |

|Discussions |Discussion 4 postings due 11/14 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 4 due 11/14 at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 4 due 11/14 at 6:00 AM (0600 hours) ET |

|Lab exercises |Lab exercise 3 – Windows Software Firewalls due 11/14 at 6:00 AM (0600 hours) ET |

|On campus Face-to-face Session 3 |

|Classroom Meeting |11/7 between 1pm and 4pm hours ET |

|Preparatory Reading |Palomo, E. J., North, J., Elizondo, D., Luque, R. M., & Watson, T. (2012). Application of growing hierarchical SOM |

| |for visualisation of network forensics traffic data. Neural Networks, 32, 275-284 |

|To be read prior to |file: Application of growing hierarchical SOM.pdf) |

|attending session |Al-Mahrouqi, A., Abdalla, S., & Kechadi, T. (2014, October). Network Forensics Readiness and Security Awareness |

| |Framework. In International Conference on Embedded Systems in Telecommunications and Instrumentation (ICESTI 2014), |

| |Algeria, October 27-29 2014 |

| |(file: Network Forensics Readiness.pdf) |

| |Bates, A., Butler, K., Haeberlen, A., Sherr, M., & Zhou, W. (2014, February). Let SDN be your eyes: Secure forensics |

| |in data center networks. In Proceedings of the NDSS Workshop on Security of Emerging Network Technologies (SENT’14). |

| |(file: Let SDN Be Your Eyes:.pdf) |

| |Paglierani, J., Mabey, M., & Ahn, G. J. (2013, October). Towards comprehensive and collaborative forensics on email |

| |evidence. In Collaborative Computing: Networking, Applications and Worksharing, 9th International Conference |

| |Conference on, 11-20 |

| |(file: Towards Comprehensive and Collaborative Forensics on Email Evidence.pdf) |

| |Guo, H., Jin, B., & Qian, W. (2013, April). Analysis of Email Header for Forensics Purpose. In Communication Systems |

| |and Network Technologies (CSNT), 2013 International Conference on, 340-344 |

| |(file: Analysis of Email Header for Forensics Purpose.pdf) |

| |Ruan, K., Carthy, J., Kechadi, T., & Baggili, I. (2013). Cloud forensics definitions and critical criteria for cloud |

| |forensic capability: An overview of survey results. Digital Investigation, 10(1), 34-43. |

| |(file: Cloud forensics definitions and critical criteria.pdf) |

| |Shah, J. J., & Malik, L. G. (2013, December). Cloud Forensics: Issues and Challenges. In Emerging Trends in |

| |Engineering and Technology (ICETET), 6th International Conference on,138-139. IEEE |

| |(file: Cloud Forensics Issues and Challenges.pdf) |

| |Shah, J. J., & Malik, L. G. (2014, February). An approach towards digital forensic framework for cloud. In Advance |

| |Computing Conference (IACC), 2014 IEEE International, 798-801. IEEE. |

| |(file: An approach towards digital forensic framework for cloud.pdf) |

| |Bhatt, P., Toshiro Yano, E., & Gustavsson, P. M. (2014, April). Towards a Framework to Detect Multi-stage Advanced |

| |Persistent Threats Attacks. In Service Oriented System Engineering (SOSE), 8th International Symposium on, 390-395. |

| |IEEE. |

| |(file: Towards a Framework to Detect Multi-Stage Advanced Persistent Threats Attacks.pdf) |

| |De Vries, J., Hoogstraaten, H., van den Berg, J., & Daskapan, S. (2012, December). Systems for Detecting Advanced |

| |Persistent Threats: A Development Roadmap Using Intelligent Data Analysis. In Cyber Security (CyberSecurity), |

| |International Conference on, 54-61. IEEE. |

| |(file: Systems for Detecting Advanced Persistent Threats.pdf) |

| |Virvilis, N., Gritzalis, D., & Apostolopoulos, T. (2013, December). Trusted Computing vs. Advanced Persistent |

| |Threats: Can a defender win this game?. In Ubiquitous Intelligence and Computing, 10th International Conference on |

| |and 10th International Conference on Autonomic and Trusted Computing, 396-403. IEEE. |

| |(file: Trusted Computing vs. Advanced Persistent Threats.pdf) |

|Module 5 Study Guide and Deliverables |

|Readings |Investigating Wireless Networks and Devices Chapter 3 |

| |Investigating Wireless Networks and Devices Chapter 4 |

| |Blackboard Module 5 Text pages |

|Discussions |Discussion 5 postings due 11/28 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 5 due 11/28 at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 5 due 11/28 at 6:00 AM (0600 hours) ET |

|Lab exercises |Lab exercise 4 - Network Traffic Analysis Using Windows due 11/28 at 6:00 AM (0600 hours) ET |

|On campus Face-to-face Session 4 |

|Classroom Meeting |12/5 between 1pm and 4pm hours ET |

|Preparatory Reading |Rani, D. R., & Geethakumari, G. (2015, January). An efficient approach to forensic investigation in cloud using VM |

| |snapshots. In Pervasive Computing (ICPC), 2015 International Conference on (pp. 1-5). IEEE. |

|To be read prior to |(An Efficient Approach to Forensic Investigation in Cloud using VM Snapshots.pdf) |

|attending session |Morioka, E., & Sharbaf, M. S. (2015, April). Cloud Computing: Digital Forensic Solutions. In Information |

| |Technology-New Generations (ITNG), 2015 12th International Conference on (pp. 589-594). IEEE. |

| |(Cloud Computing Digital Forensic Solutions.pdf) |

| |Kadivar, M. (2014). Cyber-Attack Attributes. Technology Innovation Management Review, 4(11). |

| |(Cyber-Attack Attributes AND Assessing the Intentions and Timing of Malware.pdf) |

| |Maheux, B. (2014). Assessing the Intentions and Timing of Malware. Technology Innovation Management Review, 4(11). |

| |(Cyber-Attack Attributes AND Assessing the Intentions and Timing of Malware.pdf) |

| |Paverd, A., Martin, A., & Brown, I. (2014). Security and Privacy in Smart Grid Demand Response Systems. In Smart Grid|

| |Security (pp. 1-15). Springer International Publishing. |

| |(Security and Privacy in Smart Grid.pdf) |

| |Kumar, V., Oikonomou, G., Tryfonas, T., Page, D., & Phillips, I. (2014). Digital investigations for IPv6-based |

| |Wireless Sensor Networks. Digital Investigation, 11, S66-S75. |

| |(Digital investigations for IPv6-based Wireless Sensor Networks.pdf) |

| |Chen, S., Zeng, K., & Mohapatra, P. (2014). Efficient data capturing for network forensics in cognitive radio |

| |networks. Networking, IEEE/ACM Transactions on, 22(6), 1988-2000. |

| |(Efficient Data Capturing for Network Forensics in Cognitive Radio Networks.pdf) |

|Module 6 Study Guide and Deliverables |

|Readings |Investigating Network Intrusions and Cyber Crime Chapter 8 |

| |Investigating Network Intrusions and Cyber Crime Chapter 9 |

| |Investigating Network Intrusions and Cyber Crime Chapter 10 |

| |Investigating Network Intrusions and Cyber Crime Chapter 11 |

| |Blackboard Module 6 Text pages |

|Discussions |Discussion 6 postings due 12/12 at 6:00 AM (0600 hours) ET |

|Assignments |Assignment 6 due 12/12at 6:00 AM (0600 hours) ET |

|Assessments |Quiz 6 due 12/12 at 6:00 AM (0600 hours) ET |

Discussion Threads

• Each course module includes a discussion topic that students are required to participate in. Student discussion postings will be graded as per the “Discussion Grading Rubric” under the Online Campus “ Syllabus and Course Information” area.

Examinations

• Students are required to take six on-line quizzes (one per module) while the course is running. Students will be allowed 60 minutes to complete each quiz. A student may take each of these quizzes starting when a quiz becomes available via Online Campus. Each quiz will close at 6 AM ET on the date the next Module starts and not be reopened except for unusual circumstances as decided by the instructor. If a student cannot complete a quiz during the week each quiz is available, the student must make prior arrangements with the instructor.

• EL students are required to take a proctored final exam that will be held in class on Saturday 12/12/2015 and last 3 hours. This exam is open book and open notes.

• If the final will be missed it will be the responsibility of the student to arrange with the professor a mutually agreeable schedule for completion of work.

• A practice final exam will be available on Online Campus which can be taken as many times as a student wishes.

• If any work is to be completed beyond the scheduled dates of this course the student must negotiate a Boston University "Contract for an Incomplete Grade" with the professor prior to the end of the class.

Grading Criteria

Students will have to do homework assignments to help you master the material. You will also have to read the textbooks and to be ready to discuss the issues related to the current class topics.

Grades will be based on:

• home work assignments (25%)

• quizzes (25%)

• lab exercises (10%)

• discussion thread participation (10%)

• proctored final exam (30%)

Grade ranges are as follows:

• 94 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download