Incident Response & Investigation MethodsIS 391 OL1 SYLLABUS

Instructor Information

Name: Ron ShafferEmail: rshaffer@stevenson.eduOffice: N/A

Course Information

Course Name: Incident Response & Investigation MethodsCourse Number: IS391Course section:  OL2Semester: 15S8W2 Spring - Accelerated (8-Week) onlineYear: 2015

Course Materials

Course texts include:

Computer Forensics Investigation Procedures and Response, EC-Council Press,Course Technology, 2010ISBN: 1-4354-8349-9

978-1-4354-8349-1

Computer Forensics Jump Start , Solomon, Rudolph, Tittel, Broom and Barrett,Wiley Publishing, 20110-470-93166-0

Note: Students must have a computer login and password, Blackboard login and password. Reliable internet access is required.

Course Description

Examines the role of the computer forensics investigator as a member of an Incidence Response Team and explores the nature of the threat to organizations, the indicators that an incident is underway, the policies and procedures to be followed when an incident is detected, and the investigation methods used to collect evidence for prevention or prosecution. The course will explore the best practices used to create, organize and deploy an incident response team for malicious activity. Student will receive three credits for successfully completing the course.

Incident Response & Investigation Methods – IS 1391 - Page 1

Course Learning Outcomes

Upon course completion, students will be able to:

Understand corporate forensic needs Identifying Evidence Describe computer evidence Address evidence handling issues Preserve Evidence Analyze Evidence Present Evidence Understand computer forensics hardware Define computer Forensics

Course Learning Strategies/Assessment

Learning outcomes will be achieved through the following strategies:

Power Point Presentations Web based course materials Structured discussion Problem-Solving Scenarios Individual projects Quizzes, Tests Project assignments

University Student Learning Goals

Self, Societies, and the Natural World:

The SU graduate will demonstrate knowledge of self, others, diverse societies, and the natural world, through the integration of the liberal arts and professional studies.

Reasoning: The SU graduate will use critical and creative thinking to locate and evaluate information, ask and answer questions, address issues, and solve problems.

Communication:

The SU graduate will communicate effectively for diverse audiences, situations, and purposes.

Ethics: The SU graduate will exhibit personal and professional ethical reasoning and behavior.

Wellness: The SU graduate will seek opportunities to promote well-being of self and others.

Career Readiness:

The SU graduate will reflect on, plan, and pursue personal and professional development.

Lifelong Learning:

The SU graduate will possess the foundations and skills for lifelong integrative learning and contribution.

Incident Response & Investigation Methods – IS 1391 - Page 2

Objectives of the Core Curriculum

Upon successful completion of the core curriculum, Stevenson University graduates will

1. Demonstrate effective oral and written communication skills.2. Demonstrate basic technological competence.3. Demonstrate ability to obtain, evaluate, and use information to solve problems.4. Demonstrate knowledge of basic wellness principles.5. Demonstrate knowledge to a diversity of perspectives and values in the liberal arts and

sciences.6. Identify key concepts, perspectives, methods, values underlying, and applications of

the fine arts, social sciences, humanities, mathematics, and the sciences.7. Explore individual, cultural, global, and ethical considerations in human relations.8. Demonstrate knowledge of the effects of individual, cultural, and global differences

on human relations.

Incident Response & Investigation Methods – IS 1391 - Page 3

Course Assignment Expectations

All assignments for each week are not only listed in the course syllabus but have a corresponding learning unit under the Module button in this course.  All work to be done for the week as well as links for submitting assignments has been provided in these learning modules. 

Late work and make up exam policy:

All assignments for each Module are due no later than 11:45 P.M. on Sunday of that week, as listed in the course schedule/ Module assignment schedule portion of the syllabus. For example, all Module 1 work must be submitted no later than 11:45 P.M. on Sunday, March 29, 2015 (03/29/15).

Students will not receive credit for assignments submitted late or missed exams without prior approval of the instructor. Only in the most extreme circumstances may students petition the instructor for exemption. The instructor will consider all petitions, deny those deemed other than extreme, and grant those where evidence is clear. At the discretion of the instructor, the student may be required to petition the Information Systems Program Coordinator from the School of Graduate and Professional Studies (GPS) for exemption. The process requires an in-person and/or telephone interview with the GPS Information Systems Program Coordinator and a detailed formal letter of explanation which shall cite, among other items, the personal contact information for verification of required references. Further details of the process and the documentation required can be obtained from the instructor.

Incident Response & Investigation Methods – IS 1391 - Page 4

Course Grading Policy

The final course grade will be allocated according to the following formula:

Case Studies 20%Tutorial/Chapter Assignments 5%Projects 25%Exams 10%Papers 15%Discussion Board 10%

Note: Improper, distracting, disrespectful or disruptive behavior in the online classroom or anything less than professional and respectful email communication will result a severe grading penalty beyond the breakdown noted above at the discretion of the instructor. Any violation of the Academic Honesty Policy or the policies detailed in this syllabus may result in an “F” for the assignment or an “F” for the course at the discretion of the instructor. The penalty for a violation of the Academic Honesty Policy could be changed to dismissal from the University by higher authorities.

Grading Ranges:A 100.00 93 4.0A- 92 90 3.7B+ 89 87 3.3B 86 83 3.0B- 82 80 2.7C+ 79 77 2.3C 76 73 2.0C- 72 70 1.7D+ 69 67 1.3D 66 60 1.0F 59 0 0.0

Example:

Course Grading Policy:

In compliance with the Stevenson University grading policy, a student’s performance in a course will be measured in accordance with the following grading system:

A = 4.0 Excellent: Outstanding achievement and initiative.B = 3.0 Good: Above average attainmentC = 2.0 Satisfactory: Average mastery of essentials meeting the minimum course

requirements. It is the lowest possible passing grade.D = 1.0 Unsatisfactory: IS courses require a grade of C or higher - repeat requiredF = 0.0 Failure: No credit for the course

The grade of C- is the lowest acceptable grade for Information Systems courses (accelerated or traditional). Required IS courses in the major must be repeated for a grade of C- or better in order to graduate.

The grade of 'B' represents above average work meeting minimum course requirements. The student receiving a grade of 'B' has consistently demonstrated a complete understanding of the

Incident Response & Investigation Methods – IS 1391 - Page 5

material and concepts presented throughout the course. Additionally, the student has completed all course requirements on time, exhibited enthusiastic interest in topics and discussions and is able to present and apply course concepts in a clear and organized manner, both verbally and on written tests.

The grade of 'A' is awarded only to those students who fully meet this standard, who additionally demonstrate exceptional comprehension and application of the course material, and demonstrate initiative in course requirements. 

Incident Response & Investigation Methods – IS 1391 - Page 6

Course Schedule

Module Topic Assignments

Pre Assignment Week

Preliminary SetupBlackboard Submission

Introductions Discussion Board

1

Chapter 1:The Need for Computer Forensics

Read Ch. 1: Computer Forensics Jump Start

Completion of Chapter 1 Review questions (even questions only).

Complete Discussion Board Introduction

Complete 2 article abstracts.

Chapter 1:Computer Forensics in Today’s World

Read Ch 1: Computer Forensics Investigation Procedures and Response

Complete Module 1 Discussion question.

2 Chapter 2: Preparation- What to do before you start

Read: Computer Forensics Jump Start ,Solomon, Barrett, and Broom

Completion of Chapter 2 Review questions (Odd only)

Assemble an incident response team to respond to a network security breach

Create an action plan for handling the network security breach

Chapter 2

Read: Computer Forensics Investigation Procedures and Response

Complete hands on projects)

Design a computer forensics lab

Establish a security policy for your computer forensics lab

Research the following areas of law related to computer security:

The Fourth Amendment

Fifth Amendment

Wiretap Act (18 U.S.C. 2510-22)

Incident Response & Investigation Methods – IS 1391 - Page 7

Pen Registers and Trap and Trace Devices Statute (18 U.S.C. 3121-27)

Stored Wired and Electronic Communication Act (18 U.S.C. 2701-120)

Write a paper( min. of 3 pages)

3

Chapter 3: Computer Evidence and Search Authority

Read: Computer Forensics Jump Start ,Solomon, Barrett, and BroomComplete the following case studies:

Case study #1( U.S. Supreme Court Katz v. United States, 389 U.S. 347 (1967))

Case study #2( UNITED STATES v. ZIEGLER Case Study #2)

Case Study #3(The Waco Affidavit

Computer Forensics Investigation Procedures and Response

Read: Computer Forensics Investigation Procedures and Response

Complete the following projects:

Project#1

Complete Software and Hardware Write Blockers internet exercise located in Solomon, Barrett, and Broom Computer Forensics Jump Start, chapter 3, pg. 70.

Project #2

Software and Hardware Write Blocker tools evaluation and questions

Project #3

Read the 4th Amendment of the Constitution and complete questions on illegal search and seizure

4

Chapter 4: Common TaskComputer Forensics Jump Start

Read: Complete Case Study #4Complete Project #1

Chapter 4:

Computer Forensics Investigation Procedures and Response

Read:

Complete hands on projects: 1, 2, & 3(Listed on pg. 4-20 in “Computer Forensics Investigation Procedures and Response” textbook

5Chapter 5: Capturing Data ImageChapter 6:Extracting Information from data

Read: Computer Forensics Jump StartComplete:Case Study #6 “Waco Search Warrant”Case Study #7 United States v. Naparst

Incident Response & Investigation Methods – IS 1391 - Page 8

Article Abstract

Chapter:5 and 6Computer Forensics Investigation Procedures and Response

Read: Computer Forensics Investigation Procedures and ResponseComplete:Project #1-Create an evidence logProject #2- Create a chain of custody logProject #3- Research Forensic tool kit software and answer questions

6

Chapter 7: Passwords and EncryptionChapter 8: Common forensic tools

Read: Computer Forensics Investigation Procedures and ResponseComplete:Paper #1 - 2-3 page paper explaining the different types of encryption and best practicesPaper #2- Recommendation to Stevenson University for the best encryptionCase Study #8Project #1-Detect and Eliminate Computer Acquired Forensics (DECAF

7

Chapter 9: Pulling it all together

Read: Computer Forensics Jump StartComplete:Project #1Create a detailed forensic analysis reportProject #2Complete crime scene documentation packetCase Study #9Case Study #10

8

Chapter 10: Testifying in Court

Read: Chapter 10, Computer Forensics Jump Start

Complete the following:

Internet Ex. #1

Case Study #11

Final Exam

FINAL EXAM

Incident Response & Investigation Methods – IS 1391 - Page 9

Incident Response & Investigation Methods – IS 1391 - Page 10

Deliverable Schedule

DELIVERABLE DUE

Readings Weekly

Case Study Weekly

Exams (Mid- term and Final) Weeks 5, 8

Exercises Weekly

Projects Weeks 2, 4, 6, 8

Incident Response & Investigation Methods – IS 1391 - Page 11

Standards of Academic Honesty and Ethics

To promote the free exchange of ideas, the Stevenson University community depends upon the academic honesty of all of its members. While acknowledging that the vast majority of students conduct themselves with a fundamental honesty, the University seeks to set the highest ethical standards. For students, academic honesty is merely a prelude to the personal integrity and professional ethics that will govern their careers. In all cases, intellectual honesty provides the clearest path to knowledge, understanding, and truth--the highest goals of an academic institution. Therefore, the University expects honesty from all of its members in every academic setting.

Academic honesty applies to all situations, including but not limited to documenting all sources used in assignments, completing all tests without unauthorized assistance, and providing accurate information on University documents.

Violations of Academic Honesty and Ethics

Any attempt to commit the following offenses constitutes academic dishonesty.

Cheating: Using unauthorized material to complete a test, quiz, examination, or assignment. Cheating includes, but is not limited to, copying from other students, relying upon aids or notes during a test, or consulting outside sources without the instructor's permission. Giving unauthorized assistance to other students also constitutes cheating.

Plagiarism:  Representing the words, ideas, research, or works of another as one's own.  Plagiarism can involve submitting work prepared entirely or in part by another person or commercial service or borrowing material as direct quotation, partial quotation, or paraphrase from published or unpublished sources without proper acknowledgement.  Students must document all print, online, and oral sources they use to complete assignments.

Unauthorized Assistance:  Preparing an assignment with the help of another student or allowing another person, such as a tutor, to alter or revise an assignment beyond the scope of collaboration the instructor has defined.

Fabrication:  Presenting false data, sources, or research results for academic credit.

Multiple Submission: Presenting the same work, in whole or in part, for credit in more than one course without the explicit permission of all interested instructors.

Other Violations:  Including, but not limited to, lying, forgery, bribery, damaging or stealing University or another's property, physically abusing another person, or verbally threatening another.

Sanctions for Violating Standards of Academic Honesty and EthicsShould a student violate the University's standards of academic honesty and ethics, he or she will be liable to sanctions according to the following procedure. Infractions will lead to probation, suspension, or expulsion of the student from the University.

Plagiarism Policy

Incident Response & Investigation Methods – IS 1391 - Page 12

Plagiarism is considered a serious offense by the University administration and can result in the student's dismissal from the program.

Plagiarism is the intentional or unintentional presentation of another person's idea or product as one's own.

Plagiarism includes, but is not limited to:o copying verbatim all or part of another's written work,o using phrases, conclusions, charts, figures, illustrations etc. without citing

sources,o using direct quotes without quotation marks,o offering another's work as one's own under any circumstances (including taking

credit for group work without participation)o  Penalties include a grade of zero or F for work, a grade of F for the course, or

dismissal from the program.

Communication Policy

SCHOOL OF GRADUATE AND PROFESSIONAL STUDIES STUDENT & FACULTY COMMUNICATION GUIDELINES

 Effective communication between students and faculty is essential for student success and faculty expectations. The process below is designed to help everyone feel comfortable that their message is successfully delivered and acknowledged. Students and faculty should use the steps below to close the loop in contacting each other. Note that for questions requiring a more immediate response, students should contact faculty by telephone on their office extension.

1.)  Student emails faculty with question or deliverable.2.)  Within one business day or as soon as the faculty sees the message, the faculty sends

an email message in response that acknowledges receipt and review of message from the student. (not necessarily an answer)

3.)  If the student does not get a response acknowledging the receipt within one business day, the student should send the message again. If no acknowledgement is received, the student should call the faculty member on their office extension or the phone number listed in the course syllabus.

4.)  If the student is still unable to reach the faculty member, they should then contact Cheryl Bosse by email at cbosse@stevenson.edu

5.)  Within 48 hours or sooner if project deadlines are involved, the faculty will respond with a feedback message on questions or assignments.

6.)  Students will respond with an acknowledgment of the feedback message from the faculty.

Student Responsibilities:

Students are responsible for communication with their instructor. There should be no delay in asking questions, expressing concern about the clarity of concepts or requesting feedback on assignments.

IMPORTANT: 

In all email communications with the instructor, students must identify themselves in the subject line of the message to include: Last Name, First Name, Course Number, and Section Number.

All University email communication will be exchanged only over SU email accounts. Students are responsible for the information sent to their SU email account and must monitor their SU accounts each day for important University and course related

Incident Response & Investigation Methods – IS 1391 - Page 13

information. Students are required to view their SU email accounts directly or set up their SU email account to forward to an account they view regularly during the day.

Students should expect to receive a great deal of information over their SU email account. If you are not receiving regular information over a forwarded email address you should immediately investigate the problem before missing important instructions or announcements.

Network Security Agreement

All components of the Stevenson University Network Security Agreement will be enforced in this class. Failure to abide by this agreement will result in the loss of your access to the University computer facilities. The loss of computer access will not excuse you from completing any of the course requirements. Class assignments, announcements, and other materials may be distributed via e-mail, the SU network or the Internet during the semester. It is the responsibility of the student to regularly check for e-mail, to check the class network directory, to check the Internet and to report to the instructor any problem with the campus telecommunications system.

Supplemental Comments from your Instructor: One of the common tasks of a forensic computer examiner is performing the statistical examination of documents including comparative analysis based on syntax, word use frequency and content distribution patterns to ascertain authenticity, duplication and forgery.

Student with Disabilities

Ctrl+Click this link for details: http://www.stevenson.edu/academics/academic_advising/disability_services.asp

Incident Response & Investigation Methods – IS 1391 - Page 14