CPSC 4680/5680: Computer Crime Investigation & Computer Forensics

IA Course

Catalog Description      

Study on procedures for identification, preservation, and extraction of electronic evidence. Auditing and investigation of network and host system intrusions, analysis and documentation of information gathered, and preparation of expert testimonial evidence will also be covered. Also forensic tools and resources for system administrators and information system security officers will be explored.

---

Syllabus

---

Course Outcomes

• To familiarize and give the students an ethical perspectives and practices  in computing by teaching them  the  existence of  computer abuse, laws pertaining to such abuse and legal gray areas. This objective can be achieved through the teaching of morality, ethics, security, privacy, intellectual property rights, and the reliability of software products.
• To give the students a technical know how in computer network security so that they are able to not only  know and identify  computer system vulnerabilities, but are able to deal with  a number of them.
• To give the students a legal and investigative framework, understanding, and competence through the study of computer forensics. Students will not only know how to deal with security bleaches, they will also be able to deal with the after effects of such bleaches through investigations and prosecutions of the culprits.
• To  provide the student  with the context to appreciate  the value of technology and  to understand that  technology is not neutral, that it  creates ethical and moral muddles that must be dealt with.
• To create and nurture an ideal atmosphere for academic dialogue, debate, and question-answer sessions among students intended to deepen their understanding of technology and its effects on society.  
• To improve students’ oral and written communication skills.
• To affect their behavior by challenging them to examine ethical and moral situations, think through them and identify relevant support systems.

---

Textbooks 

Nelson, Bill, Amelia Phillips, frank Enfinger, and Chris Steuart. Guide to Computer

            Forensics and Investigations. 3^rd Edition,  Thomson Course Technology, 2008.

Mandia, K.,  Prosise, C. and C. Pepe, M. Incident Response and Computer Forensics.

            Second Edition, Osborne-McGraw Hill, 2003. 

Please check this link from the UTC InfoSec center for additional resources for your course work and paper: 

https://new.utc.edu/engineering-and-computer-science/caecd/resources.

---

COURSE OUTLINE

• Understanding  Computer Forensics
• Understanding Computer Investigations
• Working with Windows and MSDOS Systems ( FAT , UNIX, NTFS File Systems)
• Mac and Linux Boot Processes and Disk Structure
• Digital Evidence  Collection and Controls
• Processing Crime and Incident Scenes
• Data Acquisition
• Computer Forensics Analysis
• E-mail Investigations
• Recovering Image Files
• Writing Investigative Reports

---

Class Notes and Schedule

(to see notes click on Week number)

Week	Lecture Topic	Laboratory Activity
Week 1	Introduction. Nature of Forensics Evidence. Ethical Issues Legal Issues I.	Ethics Case, Seizure Proceedings
Week 2	Evidence Collection. Email Tracing. Internet Fraud.	Email Trace. URL Obscuring. Password Cracking.
Week 3	Legal Issues II. Hard Drive Facts. FAT File Systems I. Hard Drive Imaging.	Hard Drive Mirroring. Understanding MBR and BPB
Week 4	NTFS, UNIX UNIX File Systems II. Searching for Evidence on a Hard Drive I.	Evidence Search at Byte Level.
Week 5	FAT, NTFS, UNIX File Systems III. Searching for Evidence on a Hard Drive II.	Evidence Search with Forensics Tool.
Week 6	Live Systems Investigations.	Creation of Forensics Boot Disks. Emergency Assessment of a UNIX system.
Week 7	Network Protocols. Network Analysis.	Introduction to network scanning tools. Ethereal, TCPDump.
Week 8	Hacking I.	Network Scanning. Traffic Analysis. Snort.
Week 9	Hacking II. Organizational Security.	Denial of Service Attacks.
Week 10	Incidence Response Policies. Incidence Reporting. Forensics and Intrusion Detection Tools.	Network Vulnerability Tools.
Week 11	E-mail Investigations
Week 12	Recovering Image Files
Week 13	Writing Investigative Reports
Week 14	Presentation of Reports

---

References

Article

• 9 Of 10 Companies Hit By Computer Crime, FBI Says; According to the FBI's most recent survey, one of five organizations also admitted that it had been victimized by 20 or more attacks.(Federal Bureau of Investigation report)(Brief Article). (January 01, 2006). Information week.
• Welch, T. (September 06, 1997). Computer Crime Investigation and Computer Forensics. Information Systems Security, 6, 2, 56-80.
• Colaguori, C. (December 01, 2012). Computer crime, investigation, and the law. Police Practice and Research, 13, 6, 539-540.
• Barmaki, R. (January 01, 2012). Computer Crime, Investigation, and the Law.(Book review). Criminal Justice Review, 37, 1, 132-133.
• Handbook of Computer Crime Investigation: Forensic Tools and Technology.(INVESTIGATIONS)(Book Review). (January 01, 2005). Security Management, 49, 3.)
• Computer Forensics: Computer Crime Scene Investigation, Second Edition, by John Vacca, provides an overview of computer crime. (July 01, 2005). Communications News, 42, 7, 10.
• McCollum, T. (November 01, 1997). Computer crime. Nations Business, 85, 11, 18-28.
• Kosiba, T. P. (January 01, 2003). Handbook of computer crime investigation: forensic tools and technology. Forensic Science Communications, 5, 2.)
• Investigating Computer Crime. (January 01, 1997). Fbi Law Enforcement Bulletin, 66, 3, 15.
• Carter, D. L. (January 01, 1995). Computer Crime Categories. Fbi Law Enforcement Bulletin, 64, 7, 21.

Book

• Kizza, J. M. (2013). Ethical and social issues in the information age. London: Springer London.
• Vacca, J. R., & Rudolph, K. (2010). System forensics, investigation, and response. Sudbury, MA: Jones & Bartlett Learning.
• Maras, M.-H. (2012). Computer forensics: Cybercriminals, laws, and evidence. Sudbury, Mass: Jones & Bartlett Learning.
• Leonard, V. A. (1971). Criminal investigation and identification. Springfield, Ill: Thomas.
• James, S. H., & Nordby, J. J. (2003). Forensic science: An introduction to scientific and investigative techniques. Boca Raton, Fla: CRC Press.
• Kim, K. J., & Chung, K.-Y. (2013). IT convergence and security 2012. Dordrecht: Springer.
• Sammons, J. (2012). The basics of digital forensics: The primer for getting started in digital forensics. Amsterdam: Elsevier/Syngress.

---

Resources

Secure Use
General Security Policy: Cyber Ethics	Cyber Ethics
General Security Policy: Information Technology Security Evaluation Criteria (ITSEC)	ITSEC Definition
General Procedures: Inference	Inference Definition
General Procedures: Rainbow Series	Rainbow Series
General Procedures: NSTISSAM COMPUSEC/1-99 Insider Threat to Government Computer Systems	NSTISS Glossary  TEMPEST
General Countermeasures and Safeguards: Computer Law	Computer Law
General Countermeasures and Safeguards: Computer Media	Computer Media  Remanence
General Countermeasures and Safeguards: Evaluate Security Testing Tools	Security Testing Tools
Administrative Countermeasures/Safeguards: Control Management	Change Control  Control Management
Administrative Countermeasures/Safeguards: Privacy Act	Privacy Act of 1974
Operations Policies/Procedures: Keystroke Monitoring	Keystroke Monitoring
Operations Policies/Procedures: Disaster Recovery Planning	Disaster Recovery
Incidents
Policy and Procedures: Incident Response	Incident Response
Policy and Procedures: Witness Interrogation	Witness Interrogation
Operations Countermeasures/Safeguard: Computer Attacks	Computer Virus Timeline
Operations Countermeasures/Safeguard: Computer Emergency Readiness Teams	CERT
Configuration
Administrative Policies/Procedures: Approval to Operate	Approval to Operate
Administrative Policies/Procedures: Configuration/Change Control	Change Control
Administrative Policies/Procedures: Copyright Protection	Copyright Protection
Administrative Policies/Procedures: Patch Management	Patch Management
Administrative Policies/Procedures: Records Management	Records Management
Administrative Policies/Procedures: Wireless Use Policies	Wireless Use Policy
Anomalies and Integrity
General Risk Management: Computer System Risk Management	Risk Management
Access Control Safeguards: Computer System Access Control	Access Control
Access Control Safeguards: Protected Distribution Systems	Protected Distribution System
Access Control Safeguards: Information Systems Access Restrictions	Access Restrictions
Administration
Access Control Mechanisms: KMI Applications	Key Management
Access Control Mechanisms: Single Sign-on	Single Sign On

---

IA Sites

• National Security Agency, Central Security Service—Information Assurance
• Information Assurance Support Environment
• Information Design Assurance Red Team (IDART)
• National Institute of Standards and Technology (NIST) Computer Security Division
• NIST Computer Security Resource Clearinghouse
• National Telecommunications and Information Administration (NTIA)
• ICAT Metabase
• ICAT is a searchable index of information on computer vulnerabilities. It provides search capability at a fine granularity and links users to vulnerability and patch information.
• National Vulnerability Database (NVD)
• STRATCOM
• ASD NII
• Defense Advanced Research Projects Agency (DARPA)
• Defense Information Systems Agency (DISA)
• Internet Traffic Report
  The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100 and is updated ever 15 minutes. Higher values indicate faster and more reliable connections.
• Electronic Privacy Information Center Home Page
  Public interest research center in Washington, D.C.
• Information Security Portal
  This site provides information concerning the topic of Information Warfare including security tools, the law and legal issues, espionage, terrorism, and information operations.
• Internet Privacy Coalition
• International Computer Security Association (ICSA)
  ICSA is known worldwide as an objective source for security assurance services.
• Glossary of Information Warfare Terms
• Cyberwar - Information warfare and psychological operations
  Provides information on the topics of propaganda analysis, online journals, index and metapages, general resources, intelligence agencies, and articles and documents.
• Reliable Software Technologies (RST): Information Warfare
• Forum of Incident Response and Security Teams (FIRST)
• FIRST brings together a variety of computer security incident response teams from government, commercial, and academic organizations. FIRST aims to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing among members and the community at large.
• International Association for Cryptologic Research (IACR)
  The International Association for Cryptologic Research (IACR) is a non-profit scientific organization whose primary purpose is to further research in cryptology and related fields.
• International Biometrics Industry Association (IBIA)
• Common Vulnerabilities and Exposures
• A list of standardized names for vulnerabilities and other information security exposures - CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.
• Institute for Applied Network Security (IANETSEC)
  The Institute for Applied Network Security is the premier membership organization for practicing information security professionals. The Institute's mission is to provide key technical and business insights to help members solve their most pressing professional challenges.
• Reliability Information Analysis Center (RIAC)
  Reliability Information Analysis Center (RIAC) : A Government and Industry focal point for Reliability, Maintainability, Quality, Supportability, and Interoperability related Engineering, Data, Software, Information, Training and Technical Assistance.