3 Credit Hours

Prerequisites: CRJ 107, Proficiency with MS Word & PowerPoint, APA-style citation, and have a WebCT account.

Instructor: Associate Professor, Randall K Nichols
Office: Hubbard B-4
Email: rnichols@utica.edu
Phone: 315-223-2501
Office Hours: 0930 – 1700 M-F and by appointment

B. Course Description (F2F & Online)

The main goal of this course is to provide students with a comprehensive understanding of computer forensics and its investigation tools and techniques. Students will learn what computer forensics / investigation is as a profession and gain an understanding of the overall investigative process. Major personal computer operating system architectures and disk structures will be discussed. Students will learn how to set up an investigator’s office and laboratory, and understand what computer forensic hardware and software tools are required. Students will learn the importance of digital evidence controls and how to process crime and incident scenes. Finally, students will learn the details of data acquisition, computer forensic analysis, e-mail investigations, image file recovery, investigative report writing, and expert witness requirements. This course provides a range of laboratory and hands-on assignments that teach you about theory as well as the practical application of computer forensic investigation. It will teach you the basics of preparing a solid Computer Forensics Evidence Plan (CFEP), which is fundamental to preparing a legal case based on seized digital evidence.

C. Objectives / Learning Outcomes (F2F & Online)

Cybercrime and Forensics I Investigation presents methods to properly conduct a computer forensics investigation, beginning with a discussion of ethics and a mapping to the objectives of the International Association of Computer Investigative Specialists (IACIS) certification. Students should have a working knowledge of hardware and operating systems (OS's) to maximize their success on projects and exercises throughout the text. Specific topics covered include:

▪ Computer Forensics and Investigations as a Profession
▪ Understanding Computer Investigations
▪ The Investigator's Office and Laboratory
▪ Current Computer Forensics Tools
▪ Processing Crime and Incident Scenes
▪ Digital Evidence Controls
▪ Working with Windows and DOS Systems
▪ Macintosh and Linux Boot Processes and Disk Structures
▪ Data Acquisition
▪ Computer Forensic Analysis
▪ Recovering Image Files
▪ Network Forensics
▪ E-Mail Investigations
▪ Becoming an Expert Witness and Reporting Results of Investigations
▪ The Computer Forensics Evidence Plan (from the attacker & defenders
Point-of-view, (POV)

TEXTBOOKS (REQUIRED) (F2F & Online)

1. Nelson, B., Phillips, A., Enfinger, F. & Steuart, C. (2004) Guide to Computer Forensics and Investigations. Boston: Thomson Course Technology. [Guide]
2. Brown, Christopher, L.T. (2006) Computer Evidence Collection & Preservation. Hingham, MA: Charles River Media. [Brown]
3. Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner, 4th
   ed. Littleton, CO: Sequoia Publishing. [Keep this wonderful reference. Students will
   use it in all of my classes.] [PP]

OPTIONAL (F2F & Online) (Good Material & Case Studies)

1. Jones, K.J, Bejtlich, R & Rose, C.W. (2006) Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison Wesley.

Web Site (F2F & Online)

A wealth of supplementary information for our course is available at www.infosec-technologies.com & www.e-evidence.info. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

Course Deliverables (F2F & Online)

Exams. There will be no formal in-class midterm or final exams. They have been
replaced by two collaborative asymmetric team projects: the Columbo series and
the New Years Eve terrorist A/D scenario.

In Re: Columbo Projects, Case Studies, and Final A/D Scenario. Note that the threat that we are addressing in Columbo team collaborative examination is the insider threat and its relationship to forensic evidence we can gather to stop it. The Columbo Group and Final scenarios ONLY require student teams to create and present / or post (F2F & Online) PowerPoint Presentations. There is no maximum on the number of PPTs.

The two assigned Case Studies (Hanssen and Regan) also address the insider threat but extend the crimes considered to Espionage and High Treason against the U.S. The two Case studies require a PowerPoint presentation of 20 PPTs minimum. There is no maximum on the number of PPTs.

The Final scenario looks at the intelligence (forensic evidence) we might gather on seized computers of a suspected terrorist. The Final scenario requires a PowerPoint presentation of 35 PPTs minimum. There is no maximum on the number of PPTs.

COLUMBO GROUP: Asymmetric Thinking Information Security / Computer Forensics Assessment (IS/CF) Project. The Columbo projects 1-4 replace the midterm. Teams form up on the first class meeting, and choose one of the “Columbo Group projects.” Students remain on the same team for Columbo project, case studies and final project.

A special team Asymmetric Thinking Computer Forensic Assessment project (Columbo) will be assigned at the beginning of the semester and due at the end of week eight. No paper is required. Teams will prepare a minimum of 35 PowerPoint slides to present in class. There is no maximum on the number of PPTs. Columbo projects 1-4 require a minimum discussion of 15 different computer forensics tools by the Teams.

NEW YEARS EVE TERRORIST SCENARIO. A semester-long Team Project covering an assigned hypothetical Forensics Criminal Attack /Defense (A/D) Scenario will be required to demonstrate collaborative skills and Asymmetric Forensics Investigative / Evaluation responses to a national crisis. This project replaces the CRJ 355 course final (F2F & Online). There is NO FINAL PAPER due. This group A/D project requires a minimum of 45 PowerPoint slides to be presented in class (F2F) or posted in the Finals Conference (Online). There is no maximum on the number of PPTs.

Remember a prime focus is the preparation of a Computer Forensics Evidence Plan from two different POV’s (the good guys who seize the computer(s) to find evidence to bring the bad guys to justice; and the bad guys who don’t want you to recover evidence and do what they can to thwart the plan, with one of their own.) And bad guys are very keen at planning their criminal actions!

The Final terrorist A/D scenario is a hot button and requires discussion using a minimum of 20 computer forensic tools. There are literally hundreds of tools available via the Internet and more being created each month. Choose the ones that will get you the most “bang for the buck.” They can be simple or complex, single-function or multi-functioned, as long as you can extract specific information to solve the particular POV you are reviewing. Remember defensive tools by the bad guy, may not be the same used as the attacker (good guy) tools. Descriptions of tools must be crisp, have an example or screenshot, and RELATE to the part of the scenario you are addressing.

Participation. Students are expected to prepare for each class meeting (F2F) and participate in the homework discussion conferences (Online). Questions based on the weekly lecturette / PowerPoint presentation and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark (F2F & Online). Online students should expect to be posting at least 3x / week.

Bullets. Students will prepare short, relevant, current (within 7 days of class) bullets (30 - 60 second oral summaries) for each class, pertaining to this course: information security technologies, Forensics Tools and Investigations and standards, risk assessment, risk management, risk mitigation, crisis management, legal trials of national interest, national crises, terror incidents, accidents, natural disasters, maritime incidents or piracy, political or infrastructure news, LEO actions, civil / criminal actions, health issues, open intelligence, BW/CW rulings, CIS sector news, Patriot Act, NSA, CIA, WH, laws or rulings of interest; URLS, security events, interesting IT/ INFOSEC finds, agency news or actions, or webliography items. Virus bullets (and AV product news) do not count. Duplicate bullets do not count. Each class, students will be chosen randomly for presentation of their bullet(s).

The general format for a Bullet is: Author & Source, first; Title, second; Summary, third; and your Opinion or Conclusions, last. Go for 45 seconds stand up delivery. (F2F). Online students have more leeway in posting bullets and do not need to stand-up before their computer. ): (Online)

Bullets are an (INDIVIDUAL) grade differentiator!

Case Studies (Hanssen & Regan). Two PowerPoint case studies will be prepared by teams. They should demonstrate understanding of key facts, issues, practices, conclusions and recommendations for improved security posture by reducing risks /or improving forensics practices. The two case studies (Hanssen & Regan) focus on counter-espionage and insider threats at the national level and therefore, are more complex. 15 PowerPoint’s (minimum) – No maximum. It is helpful to incorporate a discussion of forensic tools. Case Study presentations are limited to 15 PowerPoint’s. Case studies will be presented using the “magic” FIRC method of briefing:

• Facts
• Issues
• Relationships or Rules
• Conclusions (and Recommendations)

Where: Facts are those gleaned from the case itself. Stick to the important stuff.

Where: Issues revolve around Information Security / Computer Forensics core problems / Risk, Threats, Vulnerability, Impact and Countermeasures applied. Issues should be presented in the form of questions (similar to scientific hypotheses) and are normally limited to three. Each Issue chosen requires a discussion. Each issue is generally addressed in the A/D scenario.

Where: Rules or Relationships may be best information security practices, computer forensics crime scene investigative standards or legal codes. This is the glue that holds addressed information security and computer investigative forensics issues together logically.

Where: Conclusions (and Recommendations) are the team's applications of the practices, rules or relationships to the information security / computer forensics issues claimed based on the facts of the case. BUT the conclusions we seek are the joint team conclusions from the A/D scenario that the team has “played” to change the case study results.

The A/D scenario is an asymmetric process of investigation of two sides of a problem. The presentation of the A/D is melded into a fixed format called FIRC, above. The Steps are: 1) read the case; 2) glean the facts; 3) determine what laws or rules apply; 4) Determine the Issues as the team sees them, not necessarily as they are presented in the case; 5) Look at both sides holistically (good guys/ bad guys) and ask how the appropriate use of CF technology could have made a difference to either side. Do this by separating the team into members covering only the attack and only the defense. 6) Pick the CF tools that your sub team thinks will change the outcome. In case #1, If the FBI had used X, Y, Z tools, would they have discovered Hanssen’ treachery earlier? Or If Hanssen had used other CF tools, would he have escaped prison and detection? 7) The team lead coordinates the activity and at the end brings the two sub teams back for a comparison on notes. These notes become the Conclusions in FIRC.

For distance learning students (Online only) Assignment substitutions will be made for various lab projects, as appropriate, to accommodate online status. [For example, see “Student Journal” requirement below.]

Student Journal (Online Students only) For their student presentation, students will download computer forensic or intrusion detection (ID) software (freeware or demo copies) [but not Anti-Virus /Anti-Malware / Anti-Spyware] and experiment with it to see how effective it is. Online students will keep a Student Journal of their investigations for their downloaded forensic /ID software. It can be in any reasonable format provided that it is readable by anyone interested, and that the conclusions drawn as well as methodologies discovered / steps used to install, operate and test the software must be repeatable for any investigator using your diary. It is recommended that students journal every step of the investigation process and post it to the journal conference per the schedule. This will give each of the class a wide range of experiences with tools in this discipline. “Last minute” Journals rarely make the grade. Students who only use plagiarized “help files” for SJ are a recipe for career loss. SJ should represent personal experience and be appropriately referenced.

PowerPoint Presentations (F2F & Online) ALL PowerPoint Presentations, papers and case studies must be available to the instructor in electronic form on a memory stick, CDROM or floppy disk. It is helpful for teams to pass out / post a 2-page After-Action Report (AAR) using your PPTs to the class for the two collaborative asymmetric research presentations. (F2F & Online)

Team Emphasis (F2F &Online) Note, in my classes; there is a significant emphasis on teamwork. Choose your teammates and team leader carefully. Information security / Forensics Investigation challenges are handled well through teamwork and joint knowledge.

More On Teams Regarding team formations: First you choose your midterm
Project: Columbo 1,2,3,4. Every team does both sides of the analysis (good guy and bad guy –two POVs). Teams collaborate to decide who wants to do the attack side and who wants to do the defense side. It is up to the team who performs what function on the problem. You work together and separately. At the end of the preparations,

You come together and share what happened, report it in PPTs and in the AAR.

Your Columbo team is the same team you work with and are graded with for the two Case Studies, Midterm and Final research projects.

TEAMS are SELF- DIRECTED and SELF-POLICEING.

The Team Captain coordinates the projects, is responsible for the presentations and / or papers due, resolves differences, encourages participation, facilitates and checks for spelling, and writing flow of the resulting work, insures that best work is produced. Team Captains are the liaison with me and I fully support his/her actions.

The Team Captain is in charge and is responsible for the delivery of the assignments. It is incumbent and responsibility of the teams to support the person they chose. Frankly, the team grade depends on it. Be professional. Let your team captain know if you are going to miss a class or be late on a team assignment. This way someone on your team can cover for you.

Teams are generally broken down into an attack and defense sub-teams of 2 or 3. One side chooses the attack side (the good guys, who are tasked to investigate the bad guys and participate in the seizing evidence from computers per a pre-established Computer Forensics Evidence plan). The defense side of the scenario (bad guys must not only figure out how do the crime but also how to stop the good guys from finding EVIDENCE to put them in jail or finding them at all.

The attack side of an A/D must develop a solid Computer Forensics Evidence plan to investigate the bad guy’s computer(s). Step by step. It is should be comprehensive. Assume that the DA or AG will use your plan to develop their legal side of the case. Consider Authentication, Chain-of Custody, traps, Jurisdiction, applicable State and Federal laws, types of evidence, specific tools that you will use and why, supplemental evidence such as pictures, cross-tying evidence such as GID#s.

The bad guys (the Defense side of the A/D) are not stupid. They must also have a plan to hide evidence. Use cryptography or steganography if you like. Set malware traps, set hardware traps, prevent the viewing of data, hide files, put in spiders and self-destroys. The cleverer the bad guys plan, the tougher the attack team will have to work. Consider which tools are important. Bad guys work by a plan too - a specific one.

The third part of the analysis is the AAR or After Action Report (generally 3-4 slides), which is where the team as whole collaborates on the project. They compare notes. They share findings, tools, details. They present their JOINT conclusions on what part of the attack(s) worked and what didn't. Lastly, mitigation (if possible) of those differences is presented in one slide. When you look at both sides of the criminal enterprise, you will do a better job of getting the evidence you need that will hold up in courts. Go unprepared and watch what the defense lawyers do to you in cross-examination.

All team-members earn the SAME grade subject to the P2P evaluations procedure discussed below.

CF Tools. There are many CF tools. What is important is when to use them,
what information they give you, and what they don’t. Your object is the bigger picture of the evidence plan that must hold up in court. Pick the wrong tool and the authentication might be challenged. The criminal goes free.

It is helpful to think of the evidence plan in terms of Risk. Risk = Threats X Impact X Vulnerabilities / Countermeasures. This is a reverse of how we normally think of information security (IS). In this case the criminal is applying the countermeasures!

A/D Scenario Presentation Considerations

1. Devise a Detailed Computer Forensics Evidence Plan from both the Attacker (the good guys seizing the computer) and the Defender (the defendant’s who committed the crimes and want to prevent evidence from surfacing for scrutiny) point of views (POVs). Your answer must be both organized and flow from one slide to another.
2. What tools would you use and why? What information do they give you? What information can you hide? Show examples but don’t fill up your PPTs only with screen shots.
3. What laws and standards must you be mindful of?
4. What best practices would you use (reference them)?
5. What are the risks of in terms of evidence collection, chain-of custody, warrants, banners, and authentication, “fruit of the tainted tree issues” Other risks?

Some additional considerations for Case Studies

1. What conclusions can you draw from the case [improve on the preliminary analysis]?
2. Go to the heart of this case, research it, what additional information can you find?
3. Does it bother you that public records can be compromised so easily? Are their other examples?

Extra Point Projects (F2F & Online) Points earned by students who qualify may be used to improve individual assignments only.

Featured Software (F2F & Online) Each week, students will be exposed to a single computer forensics program (demo or freeware) that they should experiment with and comment on in the featured Software Forum (Online) or by email to the instructor. The featured software is a productive way to learn some of the forensic principles in practice.

5. Grading (F2F & Online)

The final course grade will be determined as follows:

1. Columbo Groups 1-4: Asymmetric Computer Forensics Mid-term Project (Team) -- 25%
2. Computer Forensics Asymmetric Research Paper & Analysis and PowerPoint Presentation (Team) -- 35%
3. Two Forensic Case Studies (Team) -- 10% [due one week after assignment]
4. Bullets & Participation, short Laboratory Assignments (up to 4 for F2F) -- regular submissions of "Bullets" or webliography (Individual grading) & featured software discussions -- 30%
   1. [Bullets = 1-3 each F2F class, students presenting are chosen randomly; or for Online students 1-3 bullets added to the bullets discussion board each week]. Online students are expected to comment intelligently (not “flame”) other student’s posted bullets.
   Distance learning students (Online status only): The Student Journal will be worth up to 1/3 of the participation grade. So, bullets / webliography /featured software, participation = 20%; Student Journal = 10%.
5. Notes Regarding Online & Distance Learning Students

On-Line Format The format of the Online session will be Socratic style. I will post questions in the homework conferences for you to respond to. There will be accompanying lecturettes and slides to assist you with the subject matter. I do ask that students use literature references in their responses. APA referencing will be required. The team collaborative paper requirements will be posted in the class issues conference. I will post sign up topics for you to use to join a team. First come, first served. By the end of the first week, if you don’t choose a topic, I will help you volunteer.

Online Participation Students are expected to participate /contribute regularly, e.g., 2-3 times a week. You should plan on participating just as though you are having an ongoing conversation. This means that you may want to check conferences a few times a week and respond to what you see there and engage others in a simulated dialog. Use the sort by Date and Author features as well as the "Read All Notes" button to help you speed through the new postings. Please "talk" to one another during the week as well as to me when you are addressing any topical discussions we have. It's impossible to have much of a thoughtful conversation if everyone saves participation in the discussion for late Sunday night.

As part of your participation and response, you may hyperlink websites or materials from your own web page if they enhance your participation. I evaluate participation on its thoughtfulness, engagement, and insight and web-courtesy. Flames are not an appropriate response to genuine interest or questions. There is a participation rubric available in the course materials area. Further, I monitor all the Online discussion and bullet conferences. Think of this as a gauge of both student participation and “virtual attendance.”

Credit will be given for discussions in the appropriate UC WebCT forums and not for “off the books chats” or other communication meetings. Students using chat, IM, or non-UC email systems should copy a log of those chats, etc. and submit to the UC WebCT forum so appropriate participation credit may be received.

Submitting Online Assignments Please submit your assignments in HTML, RTF, or plain text when they are due. You may post them to the Assignment Area (or send them as attachments to email). You will lose 10% of the assignment grade for an assignment for each day late.

Please keep copies of all assignments that you send to me and all that I return to you with my comments. If you revise an assignment, please send your original with my comments, along with the revised assignment, in the same email. Note that you have revised the assignment and what you think you did to improve the original.

Please label all submissions, files, and emails with your Team Name. This avoids confusion.

Getting WebCT or computer Online Help is available at the Utica College IT Help Desk at helpdesk@utica.edu or (315) 792-3115. Have your login ID, password, and your class and section numbers when you call or include them in your email. Include information about your browser; system or any other details you think will be needed by the folks at WebCT Help and Support to assist you. Cut and paste the actual error notices that pop up for even better responses.

Summing Up a Successful Online WebCT Student A successful WebCT student is one who reads the materials thoroughly before responding, participates regularly, engages the material and others with enthusiasm and courtesy, schedules time to do the work, asks for help when it is needed, interacts with others in the class, is self-motivated, turns in well-drafted, proofed assignments, and keeps copies of all work and my responses in case of an emergency.

Virtual Hours Our virtual week goes from Monday through Saturday. Many clear-weather Saturdays and Sundays I am on the Chesapeake Bay onboard the CRYPTO-WIZ. This is not a good time to call me. Satellite coverage is good but my brain coverage is noisy. The rest of the week, you can call or e-mail me anytime between 1030-1700 Hrs EST. It is not unusual for me to respond to your e-mails as late as 0400 Hrs EST. I usually return e-mail within 4 hours. When you respond to me, use your e-mail Reply option and include the last message so I know what our conversation was about. I'll do the same for you. If you do not hear from me within this timeframe, please do not hesitate to e-mail me again, as I may not have received your e-mail. When you e-mail me, please include in the subject line the course identifier number and the topic of your e-mail. Also please include your name in the text message, as some e-mail addresses give no clue as to their owners – and you will find your email part of my anti-SPAM ELLA filter. If you have multiple e-mail addresses, please advise me.

D. Course Content and Pedagogy

This course will span approximately 16 weeks with one (or part of one) module being taught each class session.

Course Schedule

Course Policies and Procedures (F2F & Online)

Grading: (F2F & Online) According to Utica College standard grading scale and policy: A 93-100;
A- 90-92.9; B+ 88-89.9; B 83-87.9; C+ 78-79.9; C 73-77.9; C- 70-72.9; D+ 68-69.9; D 63-67.9; D- 60-62.9; and F 0-59.

The grade range of B represents the benchmark for this class. It indicates that the student (or team) has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

Writing Standards (F2F & Online) Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. Utica College recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition) or www.apastyle.org. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. Other resources are: The Elements of Style (Strunk and White), 100 Ways to Improve Your Writing (Provost) and the Utica College Writing Center at Hubbard Hall, Room 216.

Timeliness (F2F & Online) It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations. Since most of our class work is performed in team format, students have a responsibility to their team and this class. They must make arrangements with the team leader for missed participation. Except for military service, verifiable medical leave or bereavement leave, there will not be any late grading.

Students should respect the learning atmosphere of others by not coming in late or leaving early.

Academic Integrity and Plagiarism (F2F & Online) Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid (electronically or in person) on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism or intentional cheating include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Utica College’s formal policies at: http://www.utica.edu/academic/catalog/academicregulations.pdf

Attendance (F2F) Attendance will be taken in order to comply with college administrative requirements. Consistent with Criminal Justice Department and the new Cybercrime, Computer Forensics & Information Assurance policies, grading penalties will be imposed for excessive lack of attendance. The Department has defined “excessive” as more than three (3) unexcused absences from classes that meet three times a week or two (2) unexcused absences from class that meets twice a week. The penalty for additional unexcused absences is the demotion of one letter grade for each additional unexcused absence.

Disabilities (F2F & Online) Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from the Coordinator of Learning Services authorizing the accommodation is required (Kateri Henkel, khenkel@utica.edu, 315-792-3032).

Course Evaluations (F2F & Online) Feedback on each undergraduate course and instructor is important to the College, your professor, and to all students. Utica College has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form.

Email Messages (F2F & Online) Please remember to put [CRJ 355] in the Subject of every email. In my online courses, the volume of email and attachments is significant.

Attendance (F2F) Class attendance will be recorded in random classes during the semester. Unexcused attendance(s) affects negatively both your individual participation grade and your team’s performance. Those involved in sports please contact your respective coaches to provide me a written schedule for practice sessions and games so that you do not get marked absent.

P2P Team Evaluations and Performance (F2F & Online) 80% of our course is Team-Based. Further, the mid-term and final projects are very asymmetric. There is no book or reference or “quick-guide” or URL that has the specific answers. The goal is to present a reasonable and logical team-solution to a difficult (even unusual) assignment based on best information security practices and technologies gleaned from your research and our class materials. Your grade is determined by how well your team accomplishes this goal working collaboratively. We think, learn, evaluate, problem-solve, generate ideas and possibilities and write better as a team. Research confirms that teams consistently out-perform the “star” individualist. This is real world. Information assurance issues in organizations are rarely assigned to one person – regardless of how strong or technically adept that he/she is. They solve the big problems in real time, team format, with collaborative working sessions.

Over my career, I have found that teams work effectively – most of the time. In general, all team-members receive the same grade on exams and projects. This policy is subject to the P2P (peer-to-peer) team evaluation process. When a team does not interact well as a team or one member intentionally does not participate effectively, or when the team leader is at terrible odds with the team itself and refuses to be flexible or improve the “lens of understanding,” we have the P2P policy to fall back on. P2P’s may optionally submitted (for the semester) by any team or team member within one week after the final project/exam. P2P’s are strictly confidential and I maintain these records for many years. Students are subject to an individual grade penalty of up to 20% of their grade if their overall performance is found deficient by a majority of their team-members. The team keeps the score-card on itself. As a practical matter, I discourage the formal P2P process and encourage teams and team leaders to solve their own problems “in-house.” I will be glad to help and encourage positive results in our teams in every way I can before using the P2P disincentive. Students receiving a reduction of grade based on the P2P process will be notified by me in writing.

Cell / Picture Phones, Palm pilots and Pagers (F2F) Turn off all your electronics before entering our class. These devices are enormously disturbing and rude to your fellow students and me. Frankly, We are more important! Use of these devices during class or especially during an exam, may earn you an F for the class session or on your test. Further, you will need to show cause why you should remain in my class for the balance of the semester.

Food (F2F ) The Golden Rule applies. Strive to leave the classroom in better shape than when you entered it. “Pay it forward”, it works!

Class Discussions (F2F & Online) We bring differing points of view to this class. Participation is not only encouraged but many times I will put a fire under the class to analyze issues with variety of perspectives. Be prepared to take the side of a brisk discussion (not argument or personal attacks) that is in conflict with your own. Challenge yourselves – especially when solving asymmetric team problems. Respect and professionalism are the operative guidelines for our discussions.

Extra Credit Work (F2F & Online) The punishment for good work is more work and respect. Extra credit assignments (limit one per student per semester) are available for students who enjoy individual achievement, want to learn more and are excited by the material as a possible vocation or sense that they need a few more points to improve their grade. I believe in the “pay it forward” principle. Extra credit assignments (worth up to one grade level) are designed to help my current and future students by developing accurate, current resource materials. Extra credit assignments must be completed on time to be valued. They do not replace any of the normal exams, asymmetric team work, assignments or case studies. “Extra” is the operative word.

Death March Team (DMT) Eligibility Students (F2F & Online) who maintain an A level average in this class may be invited to join the DMT. This is quite an honor. DMT represents a network of over 85 of my active working Graduate students from George Washington University, Towson University, University of Maryland University College, Tulane University, Capitol College, US Army, US Navy, USCG, USJCS, White House, DOD, DHS, FBI National Academy, NSA and major security organizations (SAIC, BAH, ASFT, Anteon, Credant Technologies) that collaboratively work on some fascinating short-term challenges. They evaluate new “beta” technologies, prepare presentations as a team to national conferences, provide speakers for local events, and critique each others papers. It is a network that helps each other find work in senior positions. We always attribute our work professionally; maintain a code of professional ethics and work to improve our profession. We are committed to each other’s professional success. Respect is our currency.

Disclaimers (F2F & Online) This course examines inter alia ethical and legal dimensions of on-line behavior. It is not intended to turn information technology professionals into lawyers. Many of the topics to be discussed will be concerned with the law and legal implications of certain behavior. Every effort is made to provide accurate and complete information. However, at no time during this course will legal advice be offered. Any student requiring legal advice, should seek services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore technology and management issues related to elements of holistic information security. Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored. Students are reminded that it is a violation of Federal and some state’s laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems to which they have been granted access. At no time in this class should any student violate either laws or confidences.

This class is not about pushing the envelope or hacking, and any violation of legal boundaries in the course of this class will be considered a violation of the class trust and will be subject to sanctions in grading.

F. References (F2F & Online): (Additional course material may be drawn from these optional readings. They will be available via email or hand-outs from instructor, on WebCT common area, or placed on 3-day reserve at Frank E. Gannett Memorial Library)

Amoroso, E. (2000) Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace back, Traps and Response, Intrusion.Net Books.

Archibald, N., Fogie, S., Kamininsky, D., Long, D., Hurley, C. et.al. (2005) Aggressive Network Self-Defense, Rockland, MD:Syngress.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Brown, C. L.T. (2006) Computer Evidence: Collection & Preservation, Hingham, MA: Charles River Media.

Casey, E. (ed) (2000) Digital Evidence and Computer Crime, Academic Press.

Casey, E. (ed) (2002) Handbook of Computer Crime Investigation: Forensic Tools and Technology. Academic Press.

Caswell, B. (2003) Snort 2.0 Intrusion Detection, Syngress.

Cordesman, A.H. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Dorothy, D. (1999). Defending the Nation: Information Warfare and Security. Boston: ACM Press.

Erbschloe, M. (2003) Guide to Disaster Recovery. Boston: Thomson Course Technology.

Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner,
4th ed. Littleton, CO: Sequoia Publishing.

Fair, T., Nordfelt, M., Ring S. & Cole, E. (2005) Cyber Spying, Rockland, MD: Syngress.

Farmer D. & Venema, W. (2005) Forensic Discovery, Upper Saddle River, NJ: Addison Wesley.

Foster, J.C. (2006) Writing Security Tools and Exploits, Rockland, MD:Syngress.

Grimes, R.A. (2003) Malicious Mobile Code: Virus Protection for Windows, O’Reilly.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Hoglund G. & Butler, J. (2006) Rootkits: Subverting the Windows Kernel, Upper Saddle River, NJ: Addison Wesley.

Jones, K.J., Bejtlich R. & Rose, C.W. (2006) Real Digital Forensics: Computer Security and Incident Response, Upper Saddle River, NJ: Addison Wesley.

Lekkas, P.C. (2003) Network Processors: Architectures, Protocols and Platforms, McGraw-Hill.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies. Washington, DC.

Long, J. (2005) Google Hacking, Rockland, MD:Syngress.

Long, J., Bayles, A.W., Foster, J.C. et.al. (2006) Penetration Tester's Open Source Toolkit, Rockland, MD:Syngress.

Middleton, B. (2001) Cyber Crime Investigator’s Field Guide. Auerbach Press.

National Science and Technology Council. (April, 2006) Federal Plan for Cybersecurity and Information Assurance Research and Development, Report by the Interagency Working Group. Arlington, VA: NCO/NITRD. Available from www.nitrrd.gov

Nelson, B., Phillips, A., Enfinger, F. & Steuart, C. (2004) Guide to Computer Forensic and Investigations, Thomson Course Technology: New York.

Nichols R. K, Ryan, D. J., & Ryan, J.C.H. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Noonan, W.J. (2004) Hardening the Network Infrastructure, NYC: McGraw Hill.

Parker, T., et.al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Peltier, T. R. (2006). Information Security Risk Analysis.2nd ed. Boca Raton, FL: Auerbach.

Pfleeger, C. & Pfleeger, S.L. (2003) Security in Computing, 3rd ed., PTR.

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Upper Saddle River, NJ: HP Professional Books.

Prosise, C. (2001) Incident Response: Investigating Computer Crime, McGraw-Hill.

Rattray, G. J. (2001). Strategic warfare in cyberspace. London: MIT Press.

Rosenblatt, K.S. (1996) High-Technology Crime: Investigating Cases Involving Computers, KSK Press.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996). Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Skoudis, E. & Zeltser, L. (2004) Malware: Fighting Malicious Code, PH.

Schultz, E., Mellander, J. & Endorf, C.F. (2003) Intrusion Detection, McGraw-Hill.

Secret Service Evidence Best Practices: http://www.secretservice.gov/electronic_evidence.shtml

Shinder, D. L, & Tittel, Ed (editor). (2002) Scene of the cybercrime: Computer forensics handbook. Syngress Shinder Books.

Vacca, J.R. (2003) Computer Forensics: Computer Crime Scene Investigation, Charles River Media.

Verton, D. (2004). Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, New York: Thomson –Wadsworth.

Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security, Boston: Thomson Course Technology.

Whitman, M.E. & Mattord, H.J. (2005) Principles of Information Security, 2nd ed. Boston: Thomson Course Technology.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.