Northern Virginia Community College
Annandale Campus
Spring Semester 2019
16-Week Session
ITN 276 – Computer Forensics I
Section 048N – 3 Credit Hours
Syllabus
Course Description | Prerequisites | Instructor | Text | Class Hours | Office Hours | Important Dates | Course Objectives | Major Topics | Grades | Class Schedule | Inclement Weather Policy | Academic Dishonesty | Attendance Policy | Learning And Growth Policy | Emergency Evacuation Procedures | Safety Preparation | Fun Policy
Course Description:
Teaches computer forensic investigation techniques for collecting computer-related evidence at the physical layer from a variety of digital media, (hard drives, compact flash, and PDAs) and performing analysis at the file system layer.
ITN 276 Computer Forensics I Course Content Summary
Prerequisites and Corequisites:
ITN 106 and ITN 107, or ITE 221 Computer Program Design. Corequisites: ITN 260
ITN 106 Microcomputer Operating Systems Course Content Summary
ITN 107 Personal Computer Hardware and Troubleshooting Course Content Summary
ITE 221 PC Hardware and OS Architecture Course Content Summary
ITN 260 Network Security Basics Course Content Summary
Instructor:
Rick Miller, MS Computer Science
California State University Long Beach
Phone: 703-207-0532
email: rick@warrenworks.com
website: www.warrenworks.com
Text:
|
 System Forensics, Investigation, and Response, 3rd Ed., ISBN-13: 978-1284121841 |
System Forensics, Investigation, and Response, 3rd Ed., ISBN-13: 978-1284121841 The ebook is available to students free via NVCC’s Safari Books subscription. |
 File System Forensic Analysis, ISBN-13: 978-0321268174
|
Supplemental Text (Optional, but highly recommended.) File System Forensic Analysis, ISBN-13: 978-0321268174 This book is also available on NVCC’s Safari Books.
|
Class Hours:
Time: Saturday, 1230 pm – 3:10 pm
Room: CT – 131
Dates: 12 January – 4 May 2019
Office Hours:
You can talk to me before, during or after class. You can also call me but I prefer email.
Important Dates To Remember:
- First day of class: 12 January 2019
- Last day to drop with tuition refund or change to Audit: 29 January 2019 (Census Date)
- Last day to withdraw without grade penalty: 24 March 2019 (Note: The award of ‘W’ after the last day to withdraw without grade penalty REQUIRES official documentation and the Dean’s signature.)
- Holidays/Non Instructional Days: 9 March 2019 (Spring Break)
- Last day of class: 4 May 2019
Course Objectives:
Upon the completion of this course you will be able to:
- Discuss computer forensics as a field and career
- Collect digital evidence on a variety of computer systems using accepted forensic processes
- Correctly use court accepted imaging and analysis tools
- Identify the legal challenges to collecting and analyzing digital evidence
Major Topics:
- Understanding Computer Forensics
- History of computer forensics
- Computer forensics as a career
- Professional certification and organizations
- Legal Issues in Computer Forensics
- Law enforcement investigations
- Corporate investigations
- Professional ethics and conduct
- Preparing for an Investigation
- Forensic resources
- Preparing a forensic toolkit
- Securing a System for Investigation.
- Evidence Preparation.
- Employing media wiping tools.
- Employing checksums/hashing as validation
- Bit-by-bit copies
- Analyzing and Understanding File Systems
- Fat12
- Fat16
- Fat32
- NTFS
- Data Acquisition at a Physical Layer
- Imaging a system using forensic tools
- Using write-blockers
- Using court accepted tools to duplicate drives
- Understanding drive geometry
- Understanding file systems and disk partitioning
- Hashing the drive
- Analyzing Data
- Recovering data at physical layer using court accepted forensic tools.
- Examining DOS and Windows disk structures
- Understanding the boot sequence
- Examining NTFS and FAT file systems
- NTFS Data Streams
- Examining Other Media Structures
- Floppies
- CDs
- Thumb/flash drives
- Recovering Deleted and Encrypted Data from a File System
- Manually recovering a deleted file, directory and partition in the FAT file system
- Manually recovering data remnants from slack space in the FAT file system
- Manually recovering data remnants from unallocated space in the FAT file system
- Manually recovering file names from the directory entry table in the FAT file system
- Examining the NTFS file system
- Manually recovering deleted files in the NTF file system
- NTFS Encrypted File Systems (EFS)
- EFS Recovery Agent
- Recovering Hidden Data at a Physical Layer
- Hidden partitions
- Bit-shifting
- Data Carving
- Slack space
- Free space
- Cataloging and Storing Digital Evidence.
- Chain of custody
- Evidence transport
- Evidence storage
- Evidence Locker Room
Grades:
Your grade will be determined by your performance on exams, quizzes, projects, and class engagement.
| Quizzes | 10% | |
| Midterm Exam | 20% | |
| Final Exam | 20% | |
| Projects | 20% | |
| Labs | 20% | |
| Engagement (Your active involvement in the learning experience.) | 10% | |
Class Schedule:
Week |
Topics Covered |
Notes |
| Week 1 |
(Chapters 1, 2, & 15)
|
IMPORTANT: I will flesh out the class schedule as the semester progresses. I will notify the class via Blackboard when I make a change. Be patient, as this is my first time teaching this class, and I will adjust content and timing as necessary to enhance your learning Eexperience.
EVEN MORE IMPORTANT: The JBL Course Number for this course is: 3AF85D. Use this number to link your Lab access code with this course. You can buy the Virtual Lab Access code directly from Jones & Bartlett Learning
Recipe for Success:
The Journal of Digital Forensics, Security, and Law National Initiative For Cybersecurity Careers And Studies (NICCS) |
| Week 2 |
(External Sources and Chapter 5)
|
Links of Interest: Project 1: Interview a Digital Forensics Investigator: Due Week 6
|
| Week 3 |
(Chapter 5)
|
JB Learning Labs 1, 2, 4, & 6 Assigned and Due by Beginning of Spring Break
Video: Hashing Algorithms and Security Video: Symmetric Encryption Ciphers Video: Asymmetric Encryption Algorithms Video: Verifying Authenticity with shasum -a 256
|
| Week 4 |
(External Sources and Chapters 8 – 10)
|
Project 2: Forensics Technology Deep-Dive: Due Weeks 14 – 15
FAT File System Forensics Paper Video: NTFS File System Forensics Video: Popular File Encodings & File Systems Overview
|
| Week 5 |
(Chapter 6)
|
Video: Forensic Acquisition in Windows – FTK Imager |
| Week 6 |
(External Sources, Chapter 7, & Chapter 12)
|
Project 1 Due |
| Week 7 |
|
|
| Week 8 |
|
Labs 1, 2, 4, & 6 Due |
| Spring Break | ||
| Week 9 |
(Chapter 7)
|
|
| Week 10 |
(Chapter 8)
|
|
| Week 11 |
|
|
| Week 12 |
(Chapter 9)
|
|
| Week 13 |
|
|
| Week 14 |
(Chapter 10 & 11)
|
|
| Week 15 |
(Chapters 13 & 14)
|
|
| Week 16 |
|
|
Inclement Weather Policy
Check the NOVA website for inclement weather announcements. http://www.nvcc.edu/depts/homepage/closing.htm#faq
Academic Dishonesty:
I expect the work you do in this class to be your own. I encourage the free exchange of ideas between students, however, the work you ultimately hand in to fulfill course requirements must not be simply copied from another student or other sources. It’s easy to be honest; here are a few rules to help guide you:
- Cite all references used to write code.
- You may look at another student’s programming code but give them credit for helping you.
- If you use stuff from the Internet to help you on a class project list the source.
- When in doubt…list the source and give credit.
- You may use code I provide in class in your projects but give me credit for the code I provide.
From the NVCC Catalog
When College officials award credit, degrees, and certificates, they must assume the absolute integrity of the work you have done; therefore, it is important that you maintain the highest standard of honor in your scholastic work. The College does not tolerate academic dishonesty. Students who are not honest in their academic work will face disciplinary action along with any grade penalty the instructor imposes. Procedures for disciplinary measures and appeals are outlined in the Student Handbook. In extreme cases, academic dishonesty may result in dismissal from the College. Academic dishonesty, as a general rule, involves one of the following acts:
- Cheating on an examination or quiz, including the giving, receiving, or soliciting of information and the unauthorized use of notes or other materials during the examination or quiz.
- Buying, selling, stealing, or soliciting any material purported to be the unreleased contents of a forthcoming examination, or the use of such material.
- Substituting for another person during an examination or allowing another person to take your place.
- Plagiarizing means taking credit for another personÕs work or ideas. This includes copying another personsÕs work either word for word or in substance without acknowledging the source.
- Accepting help from or giving help to another person to complete an assignment, unless the instructor has approved such collaboration in advance.
- Knowingly furnishing false information to the College; forgery and alteration or use of College documents or instruments of identification with the intent to defraud.
Attendance Policy:
You should only miss class when you have a genuine emergency. I prefer advance notification via email. It goes without saying that you are responsible for course material and assignments due, and for information covered, on the day(s) you miss. If you miss too many classes, and too many is entirely at my discretion, you will earn an “F” for the class. (Note: To date, the only student who failed the class under this policy did so not because they missed a number of classes, but because they failed to communicate with me about their situation.)
I will record attendance at the end of each class. If you intend to leave class early for other than an emergency, please let me know or you will not be marked as present that day. If you fail to attend the first day of class I will administratively withdraw you. If you attend the first day and fail to attend the next two weeks, I will administratively withdraw you.
The Attendance Policy from the NVCC Catalog:
Learning and Growth Policy
“NOVA is a place for learning and growing. You should feel safe and comfortable anywhere on this campus. In order to meet this objective, you should: a) let your instructor, his/her supervisor, the Dean of Students or Provost know if any unsafe, unwelcome or uncomfortable situation arises that interferes with the learning process; b) inform the instructor within the first two weeks of classes if you have special needs or a disability that may affect your performance in this course.”
Emergency Evacuation Procedures:
Should the need to evacuate the room in a hurry arise, the procedures to do so are posted in the class. We’ll discuss these on the first day and hope we never have to use them!!!
TO REPORT AN EMERGENCY OR SUSPICIOUS ACTIVITY
- NOVA Police at 703-764-5000
- Police and Fire at 9-1-1
SAFETY PREPARATION
Your ability to react effectively during an emergency takes preparation. The Office of Emergency Management and Safety wants you to be prepared to react immediately. To start, you should know the locations of: the two safest and most direct evacuation routes (see posted evacuation route signs in classrooms), the locations of designated Assembly Areas outside the facility, shelter-in-place areas for a severe weather event, and the nearest automated external defibrillators (AEDs). For additional emergency preparedness information, visit the Office of Emergency Management and Safety website at: www.nvcc.edu/emergency.
FIRE/EVACUATION
- Activate the nearest fire alarm and call 9-1-1 if possible. If there are no fire alarms nearby, knock on doors and yell “fire” as you exit the building.
- Evacuate the building. Do not use elevators!
- Feel closed doors with the back of your hand. Do not open if doors are hot.
- Move well away from the building when evacuating, and assemble at designated assembly areas.
- Do not re-enter the building until cleared by authorized personnel.
SEVERE WEATHER/SHELTER-IN-PLACE
If the area is under a Severe Weather/Tornado WARNING, or if notified to shelter:
- Seek shelter immediately in a Severe Weather Shelter Area or go to an interior hallway or room; at the lowest level in the building; and/or an area free of windows or glass.
- Protect your body from flying debris with any available furniture or sturdy equipment.
- Use your arms to protect your head and neck.
- Wait for the “All Clear” before leaving your shelter area.
VIOLENCE/ACTIVE SHOOTER
- Determine the most reasonable way to protect your own life and call 9-1-1 or 703-764-5000 when it is safe to do so.
Run and evacuate if you can. This may be your best chance of survival. Have an escape route in mind. Leave valuables behind and keep hands visible. - Hide in an area outside of the shooter’s view. Block entry to your hiding place and lock doors.
- Turn off lights and silence electronic devices.
- Fight as a last resort and only when your life is in imminent danger. Attempt to incapacitate the shooter. Act with physical aggression.
EMERGENCY COMMUNICATION
- In the event of an emergency you may be notified by various means depending on the emergency. Some of the ways you may be notified include:
- classroom telephones,
- computer pop-ups,
- digital flat panels,
- NOVA Access through www.facebook.com/NOVAaccess and www.twitter.com/novaaccess, or
text messaging through NOVA Alert. NOVA Alert is a free notification service. You are automatically signed up for email alerts through your NOVA email address.To add a mobile phone number or an additional email account, you must register by going to: https://alert.nvcc.edu. You are strongly encouraged to add additional devices. - NOVA may use some or all notification channels to notify you. For a complete list, visit the NOVA website at www.nvcc.edu and search for Alert Notification Systems.
Closing/Class Cancellations
If the College is closed or delayed for any reason, a text alert will be sent to cell phones registered on NOVA Alert and a notice will be posted on the home page of the College’s website. In addition, a message will appear on our cable television station and on local radio and TV stations. The home page of the College’s website will always have the most reliable and up-to-date information about closures or delays.
Fun Policy
Most importantly…I want you to enjoy the class. I will learn as much from you as I hope you’ll learn from me. To this end, I sincerely appreciate any comments you may have about course content and welcome your suggestions on ways to improve this course for future classes. Welcome to class…have fun!
Cybersecurity Center
Visit www.nvcc.edu/cybersecurity for information on NOVA’s Cybersecurity programs. “Liking” the Facebook page at http://www.facebook.com/notifications.php#!/pages/Dr-Margaret-Leary-CyberWatch-Page/149995045038340 allows you to automatically receive information on cybersecurity competitions, scholarships, training opportunities, and other events – even after you have completed your studies at NOVA. Scholarly articles and journals relating to cybersecurity can also be found under “Student Resources” at the NOVA CyberCenter site.
Cybersecurity Opportunities
- Free ISACA Membership. Students are eligible for a free ISACA Membership. Information can be obtained by emailing Margaret Leary at mleary@nvcc.edu . The student will need to be prepared to support NOVA’s cyber program, in exchange for the membership, at NOVA events, such as CyCon or the Hackathon. For additional information about ISACA visit: isaca.org
- Reduced ISSA-NOVA Membership. ISSA-NOVA is one of the largest chapters of the international ISSA organization (Information Systems Security Administrators). While no longer free, ISSA-NOVA reduces the $100 membership fee to only $30 for students. Students interested in joining should have myself or Brian Ngac validate their full-time status (it is required to be recommended by a member, with both of us being active members). The link at which they apply is https://app.smartsheet.com/b/form/70f8529a04004155b154d67e851435e4.
- All Cyber. This No. VA cyber organization meets every other Saturday at the Woodbridge campus in the Arts and Science Building, room 362, at 10AM. Students can tryout for the official NOVA Cyber team and network with other students and industry professionals. Information is located at https://allcyber.org
- National Cyber League. Students can also participate each semester in the National Cyber League competition. This is an individual competition that costs $25 per student. Students are provided with a scoring report at the end of the competition and several students show these reports to employers as a demonstration of the skills they have acquired. I expect registration to open in Feb. for the Spring season. I usually recommend that students start early in their academic tenure – ITN 260 is a good starting place. Again, they can practice with peers at the All Cyber meetings.
- National Cybersecurity Student Association. Sponsored by National CyberWatch Center, students can join this largest association of cybersecurity students. We also don’t have a chapter, and we should have, as one of the largest cybersecurity education programs in the country. Consider helping a student start a NOVA chapter for students. ?