Course Syllabus

About this course;

This course is designed for students that would like to learn about the emerging field of Computer Forensics. With high tech crime on the rise, students will be able to acquire skills to become proficient in conducting investigations and analyzing cybercrime cases. Forensics tools, methods and procedures for investigating computers. Data recovery techniques and evidence collection, protection of evidence, expert witness skills and computer crime investigation techniques. Analysis of various file systems and specialized diagnostic software to retrieve data. Prepares in part for CompTIA Security+ and maps to Computer Investigation Specialists exam. CSU transferrable.

Learning Outcomes;

Upon completion of this course, a student will be able to:

1. Define and describe computer forensics investigations.
2. Compare and contrast the various operating systems and file systems.
3. Evaluate and choose appropriate software, hardware, and tools to equip a Forensics Lab.
4. Retrieve and analyze data from a suspect's computer.
5. Create investigative reports and act as an expert witness.

TextBook;

"Guide to Computer Forensics and Investigations", Sixth Edition, Bill Nelson, Amelia Phillips, Chris Steuart; ISBN; 978-1-337-56894-4

Course Requirements;

Assignments;

1. In-class activity: Group discussions on current topics such as 1. Current crimes and legal issues 2. New forensic techniques 3. New hardware and security practices
2. In-class activity: Hands~on lab projects such as I. Imaging a hard drive 2. Searching through a forensic image to find evidence 3. Using a forensic boot disk
3. Out-of-class assignment: Readings from the textbook on topics such as 1. Investigative techniques 2. Hard drive formats 3. Court procedures
4. Out-of-class assignment: Written reports that involve independent research on topics such as: 1. Current legal controversies 2. Privacy and law enforcement searches 3. New hardware and techniques

Evaluation;

1. Participation: Student contributions to in-class discussions
2. Other: Graded hands-on projects
3. Exams/Quizzes/Tests: Tests and/or quizzes on topics covered in out-of-class reading, such as: a. Use of forensics hardware and software b. Investigative techniques
4. Written work: Written reports involving independent research
5. Final Assessment: Comprehensive final exam on topics such as: a. Reading encrypted files b. Viewing and interpreting email headers c. Recovering passwords.

Contents;

1. Introduction - computer investigations in general
   1. Computer Forensics, definition and description
   2. Investigations, Law Enforcement and Corporate
      1. Securing evidence, copying the disk
      2. Analyzing the digital evidence
      3. Demonstration of correct procedures and methods.
2. Windows, DOS, Macintosh, and Linux overview
   1. Disk partitions
   2. The Registry
   3. NTFS attributes
   4. EFS recovery agents (Encryption File System)
   5. DOS and Windows startup sequence.
   6. MacIntosh and Linux Disks
      1. Volumes, file systems
      2. Boot sequence, data structures
3. A typical investigator's laboratory and tools
   1. The need for physical security
   2. Laptop forensics workstations
   3. Current computer forensics tools
      1. Command-line software tools
      2. Graphical interface tools
      3. Making a forensics boot floppy disk
      4. Retrieving evidence using a remote network connection
   4. Hardware tools
   5. Workstations
   6. Write Blockers
   7. Other common devices
4. Gathering digital evidence
   1. Methods of data acquisition
      1. Using DOS tools
      2. Other acquisition tools and methods
   2. Identifying, securing, and cataloguing digital evidence
   3. Processing and handling evidence at a crime scene
   4. Storing and documenting digital evidence
   5. Analyzing digital data
      1. Addressing data hiding techniques
      2. Recovering passwords
      3. Examining encrypted files
   6. Email Investigations
      1. Copying and printing email messages
      2. Viewing email headers
      3. Examining server logs in Unix, Windows
5. Writing investigation reports and being an expert witness
   1. Explaining the principal results in plain English, avoiding jargon
   2. Proper use of reports generated by forensic tools
   3. Declarations and affidavits