CPSC 6155 – Special Topics on Windows Network Forensics

Instructor(s): Dr. Lydia Ray

Office: CCT429                                                                                               Office phone: (706) 565-3615
Department phone: (706) 568-2410                                                             Department FAX: (706) 565-3529
Office Hours: MON-THURS 9.00 -11.00 AM, TUE, THU: 4.15 PM – 5.15 PM
e-mail address: ray_lydia@columbusstate.edu
homepage:http://csc.columbusstate.edu/ray

 

Description of Course: (Prerequisite: Basic knowledge of Operating System and Networks). This course is about conducting a thorough investigation into a Windows network. The course mainly focuses on how to analyze Windows memory, registry, log files and executable files for incriminating evidence in a networked environment. The course also explains live data acquisition from a Windows computer.

 

Required Textbook(s):

1.      Windows Forensic Analysis DVD Toolkit, Second Edition  By Harlan Carvey

Reference Textbook(s):

2.      Mastering Windows Network Forensics and Investigation  by Steven Anson and Steve Bunting

 

Required platform and other material:  

1.       Windows XP and Internet connection (If you use Vista, Windows 7 or any other OS, you must be prepared for troubleshooting by yourself)

2.       Other necessary materials will be declared later in class.

 

Course Objectives

1.      Students will have an understanding of Microsoft network structure, Windows port services and some of Windows main vulnerabilities.

2.      Students will learn to acquire and analyze live volatile data (i.e., data in RAM) from a Windows computer.

3.      Students will learn how to analyze different sectors of a Windows computer (mainly XP and older) in a networked environment.

4.      Students will learn to effectively search Windows memory and registry for evidence.

5.      Students will learn to analyze different log files and executable files.

6.      Students will learn how to detect rootkits and how to prevent rootkits installation.

7.      Students will learn how to effectively document the process of investigation along with the findings.

 

Instructional Methods and Techniques

1. The class will be taught online. Learning sessions will usually be conducted via lecture notes uploaded in CougarView. See http://www.columbusstate.edu/cs/Academics/Online/OnlineInfo.asp for information on taking an online course.

How to Access the Course

This course is being offered through WebCT Vista. You can access WebCT Vista at: http://webct.colstate.edu/ 

Your WebCT Vista username and password are:

Username: lastname_firstname
Password: XXXXXX

where "XXXXXX" is the your birthdate in DDMMYY format.

If you try the above and WebCT Vista will not let you in, please use the "Comments/Problems" link at the bottom of the WebCT home page to request help. If you are still having problems gaining access a day or so after the class begins, please e-mail me.

Once you've entered WebCT, you will see a list of courses you have access to. The CPSC 6159  course is listed as "Computer Forensics." If you don't see the course in the list, please e-mail me immediately.

How This Course Will Work

This course will consist of readings, assignments, “lab” assignments, a final project and one examination. On a weekly basis, you will need to:

1. review the week's lesson;
2. complete the readings from the textbook;
3. complete the assignments;

Rule of Assignments:

1.      An assignment will contain hands-on assignments, questions on those assignments and other general questions to test your knowledge on that week’s reading lessons.

2.      You do NOT need to attach screen shots of your hands-on work unless you are specifically asked to do so.

3.      You need to write the answers of assignment questions in enough details. Do not assume I know what you want to mean.

4.      No late assignment will be accepted unless there is a medical reason.

5.      Assignments must be submitted in web ct drop box. It is your responsibility to work ahead of time and ensure timely submission in proper place.

6.      If you submit assignments via e-mail, timely grading of those assignments cannot be guaranteed (unless there is any medical reason). If you submit assignments in my CougarNet account, assignments may get misplaced. I will not take responsibility of any lost assignment that was not submitted in assignment drop-box.

Rule for Examination:

1.      You will take one midterm examination.

2.      The rules and requirements of proctoring will be published within the first week of class.

Discussions:

1.      There will be threaded discussions to interact with other classmates and the instructors.

2.      The topic of discussion can be anything you want to share with your classmates. However, the focus of these discussions will be to discuss any problem that you encounter while taking this course. For example, if you have problem downloading or installing specific forensic software, you may create a discussion thread and ask for suggestion from your classmates. If you think there is a wrong question in an assignment, you may create a threaded discussion. However you are not allowed to discuss any examination question. Any issue with the examination will be discussed only via e-mail exchange with the instructor (and only with the instructor). 

3.      These discussions will be reviewed by the instructor. But they will not be graded.

Rule for Final Project: Instructions will be provided later.

Student Responsibilities

 

As a student in this course, you are responsible to:

• manage your time and maintain the discipline required to meet the course requirements,
• complete all readings,
• complete all assignments,
• decide on and coordinate a final project with the instructor, and
• read any e-mail sent by the instructor and respond accordingly.

“I didn’t know” is not an acceptable excuse for failing to meet the course requirements. If you fail to meet your responsibilities, you do so at your own risk.

Instructor Responsibilities

 

As your instructor in this course, I am responsible to:

·         post weekly lessons outlining the assignments for the week,

·         read all responses to discussion questions and comment if necessary,

·         grade assignments, midterm and the final project, and post scores within one week of the end of the week in which they are submitted, and

·         read any e-mail sent by the you and respond accordingly within 48 hours.

 

Course Evaluation (tentative): Will be provided later.

Grades may be determined according to this scale:

A 90% - 100%	B 80% - 89%
C 70% - 79%	D 60% - 69%

 

General Policies

You are responsible for all class work missed, regardless of the reason for the absence(s). Late assignments will not be accepted. No makeup exams or quizzes will be given, so please make sure you are present for all exams/quizzes. Refer to the CSU Catalog (http://aa.colstate.edu/advising/a.htm#Attendance%20Policy) for more information on class attendance and withdrawal.

Academic dishonesty Academic dishonesty includes, but is not limited to, activities such as cheating and plagiarism (http://aa.colstate.edu/advising/a.htm#Academic%20Dishonesty/Academic%20Misconduct). It is a basis for disciplinary action. Any work turned in for individual credit must be entirely the work of the student submitting the work. All work must be your own. [For group projects, the work must be done only by members of the group.] You may share ideas but submitting identical assignments (for example) will be considered cheating. You may discuss the material in the course and help one another with debugging; however, any work you hand in for a grade must be your own.  A simple way to avoid inadvertent plagiarism is to talk about the assignments, but don't read each other's work or write solutions together unless otherwise directed by your instructor. For your own protection, keep scratch paper and old versions of assignments to establish ownership, until after the assignment has been graded and returned to you. If you have any questions about this, please see your instructor immediately. For assignments, access to notes, the course textbooks, books and other publications is allowed. All work that is not your own, MUST be properly cited. This includes any material found on the Internet. Stealing or giving or receiving any code, diagrams, drawings, text or designs from another person (CSU or non-CSU, including the Internet) is not allowed. Having access to another person’s work on the computer system or giving access to your work to another person is not allowed. It is your responsibility to prevent others from having unauthorized access to your work. No cheating in any form will be tolerated. Penalties for academic dishonesty may include a zero grade on the assignment or exam/quiz, a failing grade for the course, suspension from the Computer Science program, and dismissal from the program. All instances of cheating will be documented in writing with a copy placed in the Department’s files. Students will be expected to discuss the academic misconduct with the faculty member and the chairperson. For more details see the Faculty Handbook: http://aa.colstate.edu/faculty/FacHandbook0203/sec100.htm#109.14 and the Student Handbook: http://sa.colstate.edu/handbook/handbook2003.pdf

 

Getting help
You can always contact me during my posted office hours, by e-mail, or by appointment.

 

CSU ADA statement
If you have a documented disability as described by the Rehabilitation Act of 1973 (P.L. 933-112 Section 504) and Americans with Disabilities Act (ADA) and would like to request academic and/or physical accommodations please contact Joy Norman at the Office of Disability Services in the Center for Academic Support and Student Retention, Tucker Hall (706) 568-2330, as soon as possible. Course requirements will not be waived but reasonable accommodations may be provided as appropriate.