3 Credit Hours

Prerequisites: CRJ 107, Proficiency with MS Word & PowerPoint, APA-style citation, and have a WebCT account.Both F2F & Online classes use WebCT for posting Bullets, Case Presentations, Featured software discussions, Columbo and Final A/D scenarios. Grading is based in part on these postings.

Instructor: Associate Professor, Randall K Nichols
Office: Hubbard B-4
Email: rnichols@utica.edu
Phone: 315-223-2501
Office Hours: 0930 – 1700 T-TH and by appointment

B. Course Description (F2F & Online)

The main goal of this course is to provide students with a comprehensive understanding of computer forensics and its investigation tools and techniques.  Students will learn what computer forensics / investigation is as a profession and gain   understanding of the overall investigative process.  Major personal computer operating system architectures and disk structures will be discussed. 

C. Objectives / Learning Outcomes (F2F & Online)

Cybercrime and Forensics I Investigation presents methods to properly conduct a computer forensics investigation, beginning with a discussion of ethics and a mapping to the objectives of the International Association of Computer Investigative Specialists (IACIS) certification. Students should have a working knowledge of hardware and operating systems (OS's) to maximize their success on projects and exercises throughout the text. Specific topics covered include:

▪ Computer Forensics and Investigations as a Profession
▪ Understanding Computer Investigations
▪ The Investigator's Office and Laboratory
▪ Current Computer Forensics Tools
▪ Processing Crime and Incident Scenes
▪ Digital Evidence Controls
▪ Working with Windows and DOS Systems
▪ Macintosh and Linux Boot Processes and Disk Structures
▪ Data Acquisition
▪ Computer Forensic Analysis
▪ Recovering Image Files
▪ Network Forensics
▪ E-Mail Investigations
▪ Becoming an Expert Witness and Reporting Results of Investigations
▪ The Computer Forensics Evidence Plan (from the attacker & defenders
Point-of-view, (POV)

TEXTBOOKS (REQUIRED) (F2F & Online)

1. Nelson, B., Phillips, A., Enfinger, F. & Steuart, C. (2004) Guide to Computer Forensics and Investigations. Boston: Thomson Course Technology. [Guide]
2. Brown, Christopher, L.T. (2006) Computer Evidence Collection & Preservation. Hingham, MA: Charles River Media. [Brown]
3. Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner, 4th
   ed. Littleton, CO: Sequoia Publishing. [Keep this wonderful reference. Students will
   use it in all of my classes.] [PP]

OPTIONAL (F2F & Online) (Good Material & Case Studies)

1. Jones, K.J, Bejtlich, R & Rose, C.W. (2006) Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison Wesley.

Web Site (F2F & Online)

A wealth of supplementary information for our course is available at www.infosec-technologies.com & www.e-evidence.info. Material downloaded must be appropriately attributed to contributors in all team / individual papers.

Course Deliverables (F2F & Online)

Exams. There will be no formal in-class midterm or final exams. They have been
replaced by two collaborative asymmetric TEAM projects: the Columbo series and
New Years Eve terrorist A/D scenario. From time to time, written quizzes or papers may be required to assess student’s comprehension of text materials.

In re Cases: The two assigned Case Studies (Hanssen and Regan) address the insider threat and extend the crimes considered to Espionage and High Treason against the U.S. The two Case studies require a PowerPoint presentation of a minimum of 50 PPTS. There is no maximum on the number of PPTs. Case studies require a minimum discussion of 10 different computer forensics tools to be discussed by Teams.

In Re: Columbo Projects: The threat that we are addressing in Columbo team collaborative examination is the insider threat. We are interested in determining relationships to forensic evidence. The Columbo scenario requires student teams to create and present / AND post to WebCT (F2F & Online) a PowerPoint Presentation. Columbo requires a minimum of 75 PPTS. There is no maximum on the number of PPTs. The Columbo Midterm requires a minimum discussion of 15 different computer forensics tools to be discussed by Teams.

The Final multi-issue A/D scenario looks at the intelligence (forensic evidence) we might gather on seized computers of a suspected terrorist. The Final scenario requires a PowerPoint presentation of 100 PPTs minimum. There is no maximum on the number of PPTs. The Final scenario requires a minimum discussion of 20 different computer forensics tools to be discussed by Teams.

In re CFEP: Remember a prime focus is the preparation of a Computer Forensics Evidence Plan from two different POV’s (the good guys who seize the computer(s) to find evidence to bring the bad guys to justice; and the bad guys who don’t want you to recover evidence and do what they can to thwart the plan, with one of their own.) And bad guys are very keen at planning their criminal actions!
 
The Final terrorist A/D scenario is a hot button and requires discussion using a minimum of 20 different computer forensic tools. There are literally hundreds of tools available via the Internet and more being created each month. Choose the ones that will get you the most “bang for the buck.” They can be simple or complex, single-function or multi-functioned, as long as you can extract specific information to solve the particular POV you are reviewing. Remember defensive tools by the bad guy, may not be the same used as the attacker (good guy) tools. Descriptions of tools must be crisp, have an example or screenshot, and RELATE to the part of the scenario you are addressing.

Participation. Students are expected to prepare for each class meeting (F2F) and participate in the homework discussion conferences (Online). Questions based on the weekly lecturette / PowerPoint presentation and assigned text readings require students to contribute regularly. A rubric for participation is available as a benchmark (F2F & Online). Online students should expect to be posting AT LEAST 3x -5x / week.

Bullets. Students will prepare short, relevant, current (within 7 days of class) bullets ( 60 second oral /written summaries) for each class, pertaining to this course: information security technologies, Forensics Tools and Investigations and standards, risk assessment, risk management, risk mitigation, crisis management, legal trials of national interest, national crises, terror incidents, accidents, natural disasters, maritime incidents or piracy, political or infrastructure news, LEO actions, civil / criminal actions, health issues, open intelligence, BW/CW rulings, CIS sector news, Patriot Act, NSA, CIA, WH, laws or rulings of interest; URLS, security events, interesting IT/ INFOSEC finds, agency news or actions, or webliography items. Virus bullets (and AV product news) do not count. Duplicate bullets do not count.

The general format for a Bullet is: Author & Source, first; Title, second; Summary, third; and your short (one paragraph) Opinion or Conclusions, last. Online students are not only expected to post their own bullets each week, they are expected to comment on two of their classmate’s bullets. Bullets are not expected to be original materials.

The Anti-Virus Bullet Rule and Considerations

Bullets need to be focused, fact-based, and supported by a reasonable source. They need to show me that you have thought about the material / subject presented. Bosses use this technique often. Best guess thinking, aka Delta approach. They should include: 1) Issue in the form of a question; 2) A SHORT, in your words, if possible, discussion of the issue; 3) Applicable laws or rules or best practices; 4) Conclusion based on the evidence presented and 5) Spellchecked.

They should not include: 1) Feeling statements. Investigators should not put their feelings into evidentiary issues; 2) long winded “shotguns” about everything you could find at the source but no real substance; 3) clear Bravo Sierra. I read them all. 4) Must not break the AV / AS rule below. Consider this POISON to your grade; 5) Not use the word UTILIZE. The correct word in every language is USE; 6) Use the Bullet forum only for Bullets not personal issues that should be discussed with your TL or in the Student Kiosk; 7) Duplicated, if possible. Check the board first before posting; 8) Single-sourced. Learn to expand your comfort zone and read other media to get information. It doesn’t matter if you agree with it politically. It might be accurate.

Virus bullets (and AV product news) do not count. Duplicate bullets do not count. There are quality bullets and there are not so quality ones. There are A bullets which go directly to the gradebook in your favor. There are 2 conditions I look for in addition to the quality of Bullets: 1) currency [bullets should be not more than 7-days old or if older, need to be updated with a current reference on the same subject] and let me repeat, 2) bullets about viruses or malicious software in any form, including spyware, bots, webbugs, Trojans, rootkits, worms, computer programs to stop them, script kiddies, AV company information, new marketing program signatures or even legal stuff about them are boring information and should be avoided, like poison. There are literally hundreds of homeland security /risk assessment events happening around the world; INFOSEC newsletters, newspapers, formal /informal initiatives, CT resources that provide raw high-grade material for bullets.

Bullets are an (INDIVIDUAL) grade differentiator!

Case Studies (Hanssen & Regan). Two PowerPoint case studies will be prepared by teams. They should demonstrate understanding of key facts, issues, practices, conclusions and recommendations for improved security posture by reducing risks /or improving forensics practices. The two case studies (Hanssen & Regan) focus on counter-espionage and insider threats at the national level and therefore, are more complex. 75 PowerPoint’s (minimum) – No maximum. A discussion of at least 10 different computer forensic tools is expected.

Class Case studies, Midterm & Final will be presented using the “Magic” FIRC method of briefing:

• Facts
• Issues
• Relationships or Rules
• Conclusions (and Recommendations)

Where: Facts are those gleaned from the case itself. Stick to the important stuff.
 
Where: Issues revolve around Information Security / Computer Forensics core problems / Risk, Threats, Vulnerability, Impact and Countermeasures applied. Issues should be presented in the form of questions (similar to scientific hypotheses) and are normally limited to three. Each Issue chosen requires a discussion. Each issue is generally addressed in the A/D scenario.
 
Where: Rules or Relationships may be best information security practices, computer forensics crime scene investigative standards or legal codes. This is the glue that holds addressed information security and computer investigative forensics issues together logically.
 
Where: Conclusions (and Recommendations) are the team's applications of the practices, rules or relationships to the information security / computer forensics issues claimed based on the facts of the case. BUT the conclusions we seek are the joint team conclusions from the A/D scenario that the team has “played” to change the case study results.
 
The A/D scenario Analysis is an asymmetric process of investigation of two sides of a problem. The presentation of the A/D is melded into a fixed format called FIRC, above. The Steps are:

1. Read the case;
2. Glean the facts;
3. Determine what laws or rules apply;
4. Determine the Issues as the team sees them, not necessarily as they are presented in the case;
5. Look at both sides holistically (good guys/ bad guys) and ask how the appropriate use of CF technology could have made a difference to either side. Do this by separating the team into members covering only the attack and only the defense.
6. Pick the CF tools that your sub team thinks will change the outcome. For example, in case #1 Hanssen; Issue 1: How would the FBI used X, Y, Z tools, to have discovered Hanssen’ treachery earlier? Issue 2: Or If Hanssen had used other CF tools, could he have escaped prison and detection? And for Issue 3: What policies need to be changed as a result of the Hanssen case?
7. The team lead coordinates the activity and at the end brings the two sub teams back for a comparison on notes. These notes become the Conclusions in FIRC. Students will find a further discussion of this melding process under course content.

PowerPoint Presentations (F2F & Online) ALL PowerPoint Presentations, papers and case studies must be available to the instructor in electronic form on a memory stick, CDROM or floppy disk AND or posted to the appropriate conference (Online & F2F). It is helpful for teams to pass out / or post a 2-page After-Action Report (AAR) using your PPTs to the class for the two collaborative asymmetric research presentations (Columbo & Final A/D). (F2F & Online)

Team Emphasis (F2F &Online) Note, in my classes; there is a significant emphasis on teamwork. Choose your teammates and team leader carefully. Information security / Forensics Investigation challenges are handled well through teamwork and joint knowledge.

More On Teams Regarding team formations: First you choose your midterm

Project: Columbo 1,2,3,4. Any student left without choice will be assigned to a team by the instructor, after the first week. Every team does both sides of the analysis (good guy and bad guy –two POVs). Teams collaborate to decide who wants to do the attack side and who wants to do the defense side. It is up to the team who performs what function on the problem. You work together and separately. At the end of the preparations, you all come together and share what happened, report it in PPTs and in the AAR.
 
Your Columbo team is the same team you work with and are graded with for the two Case Studies, Midterm and Final research projects.
 
TEAMS are SELF- DIRECTED and SELF-POLICEING.

The Team Leader coordinates the projects, is responsible for the presentations and / or papers due, resolves differences, encourages participation, facilitates and checks for spelling, and writing flow of the resulting work, insures that best work is produced. Team Leaders are the liaison with me and I fully support his/her actions.
 
The Team Captain is in charge and is responsible for the delivery of the assignments. It is incumbent and responsibility of the teams to support the person they chose. Frankly, the team grade depends on it. Be professional. Let your team captain know if you are going to miss a class or be late on a team assignment. This way someone on your team can cover for you.
 
Teams are generally broken down into an attack and defense sub-teams of 2 or 3. One side chooses the attack side (the good guys, who are tasked to investigate the bad guys and participate in the seizing evidence from computers per a pre-established Computer Forensics Evidence plan). The defense side of the scenario (bad guys must not only figure out how do the crime but also how to stop the good guys from finding EVIDENCE to put them in jail or finding them at all.
 
The attack side of an A/D must develop a solid Computer Forensics Evidence plan to investigate the bad guy’s computer(s). Step by step. It is should be comprehensive. Assume that the DA or AG will use your plan to develop their legal side of the case. Consider Authentication, Chain-of Custody, traps, Jurisdiction, applicable State and Federal laws, types of evidence, specific tools that you will use and why, supplemental evidence such as pictures, cross-tying evidence such as GID#s.
 
The bad guys (the Defense side of the A/D) are not stupid. They must also have a plan to hide evidence. Use cryptography or steganography if you like. Set malware traps, set hardware traps, prevent the viewing of data, hide files, put in spiders and self-destroys. The cleverer the bad guys plan, the tougher the attack team will have to work. Consider which tools are important. Bad guys work by a plan too - a specific one.
 
The third part of the analysis is the AAR or After Action Report (generally 3-4 slides), which is where the team as whole collaborates on the project. They compare notes. They share findings, tools, details. They present their JOINT conclusions on what part of the attack(s) worked and what didn't. Lastly, mitigation (if possible) of those differences is presented in one slide. When you look at both sides of the criminal enterprise, you will do a better job of getting the evidence you need that will hold up in courts. Go unprepared and watch what the defense lawyers do to you in cross-examination.

All team-members earn the SAME grade subject to the P2P evaluations procedure discussed below.

CF Tools. There are many CF tools. What is important is when to use them,
what information they give you, and what they don’t. Your object is the bigger picture of the evidence plan that must hold up in court. Pick the wrong tool and the authentication might be challenged. The criminal goes free.
 
It is helpful to think of the evidence plan in terms of Risk. Risk = Threats X Impact X Vulnerabilities / Countermeasures. [This is the Ryan-Nichols equation] This is a reverse of how we normally think of information security (IS). In this case the criminal is applying the countermeasures!

A/D Scenario Presentation Considerations

1. Devise a Detailed Computer Forensics Evidence Plan from both the Attacker (the good guys seizing the computer) and the Defender (the defendant’s who committed the crimes and want to prevent evidence from surfacing for scrutiny) point of views (POVs). Your answer must be both organized and flow from one slide to another.
2. What tools would you use and why? What information do they give you? What information can you hide? Show examples but don’t fill up your PPTs only with screen shots.
3. What laws and standards must you be mindful of?
4. What best practices would you use (reference them)?
5. What are the risks of in terms of evidence collection, chain-of custody, warrants, banners, and authentication, “fruit of the tainted tree issues” Other risks?

Some additional considerations for Case Studies

1. What conclusions can you draw from the case [improve on the preliminary analysis]?
2. Go to the heart of this case, research it, what additional information can you find?
3. Does it bother you that public records can be compromised so easily? Are their other examples?

Extra Point Projects (F2F & Online) Points earned by students who qualify (Webliography or A Bullets) may be used to improve individual assignments only.

Featured Software (F2F & Online) Each week, students will be exposed to a single computer forensics program (demo or freeware) that they should experiment with and comment on in the featured Software Forum (Online & F2F). The featured software is a productive way to learn some of new forensic principles in practice.

Grading (F2F & Online)

The final course grade will be determined as follows:

1. Columbo Groups 1-4: Asymmetric Computer Forensics Mid-term Project PPTs(Team) -- 25%
2. Computer Forensics Asymmetric Research Paper PowerPoint Presentation (Team) -- 35%
3. Two Forensic Case Studies (Team) -- 20% [due one week after assignment]
4. Bullets & Participation-- regular submissions of "Bullets" or webliography (Individual grading) & featured software discussions -- 20%
• [Bullets = Online students are expected to add 3-6 current bullets to the bullets discussion forum each week. Online students are also expected to comment intelligently (not “flame”) TWO other student’s posted bullets. Comments must be constructive and not “smile talk.”Distance learning students (Online status only): The Student Journal will be worth up to 1/3 of the participation grade. So, bullets / webliography /featured software, participation = 20%; Student Journal = 10%.

Notes Regarding Online & Distance Learning Students

On-Line Format The format of the Online session will be Socratic style. I will post questions in the homework conferences for you to respond to. There will be accompanying lecturettes,slides and Voice files to assist you with the subject matter. I ask that students use literature references in their responses. APA referencing will be required. The team collaborative paper requirements will be posted in the class issues conference.  I will post sign up topics for you to use to join a team. First come, first served. By the end of the first week, if you don’t choose a topic, I will help you volunteer.

Online Participation Students are expected to participate /contribute regularly, e.g., 3x – 5x times a week. You should plan on participating just as though you are having an ongoing conversation.  This means that you may want to check conferences a few times a week and respond to what you see there and engage others in a simulated dialog.  Use the sort by Date and Author and Unread features as well as the "Read All Notes" button to help you speed through the new postings.  Please "talk" to one another during the week as well as to me when you are addressing any topical discussions we have.  It's impossible to have much of a thoughtful conversation if everyone saves participation in the discussion for late Sunday night.

As part of your participation and response, you may hyperlink websites or materials from your own web page if they enhance your participation.  I evaluate participation on its thoughtfulness, engagement, and insight and web-courtesy. Flames are not an appropriate response to genuine interest or questions.  There is a participation rubric available in the course materials area. Further, I monitor all the Online discussion and bullet conferences. Think of this as a gauge of both student participation and “virtual attendance.”

Credit will be given for discussions in the appropriate UC WebCT forums and not for “off the books chats” or other communication meetings. Students using chat, IM, or non-UC email systems MUST copy a log of those UNCENSORED chats, etc. and submit to the UC WebCT forum so appropriate participation credit may be received. Failure to do so will cost the team up to 20% of their team grade!

• [Bullets = Online students are expected to add 3-6 current bullets to the bullets discussion forum each week. Online students are also expected to comment intelligently (not “flame”) TWO other student’s posted bullets. Comments must be constructive and not “smile talk.”

D. Course Content and Pedagogy

This course will span approximately 16 weeks with one (or part of one) module being taught each class session.

Course Schedule

Course Policies and Procedures (F2F & Online)

Grading: (F2F & Online) According to Utica College standard grading scale and policy: A 93-100;
A- 90-92.9; B+ 88-89.9; B 83-87.9; C+ 78-79.9; C 73-77.9; C- 70-72.9; D+ 68-69.9; D 63-67.9; D- 60-62.9; and F 0-59.

The grade range of B represents the benchmark for this class. It indicates that the student (or team) has demonstrated competency in the subject matter of the course, e.g., has fulfilled all course requirements on time, has a clear grasp of the full range of course materials and concepts, and is able to present and apply these materials and concepts in clear, well-reasoned, well-organized, and grammatically correct responses, whether written or oral.

As a matter of my personal teaching philosophy, I teach to excellence not average. Minimums represent average to me. On the rubric for participation, the middle column represents the benchmark norm.

Writing Standards (F2F & Online) Effective managers, leaders, and teachers are also effective communicators. Written communication is an important element of the total communication process. Utica College recognizes and expects exemplary writing to be the norm for course work. To this end, all papers, individual and group, must demonstrate graduate level writing and comply with the format requirements of the Publication Manual of the American Psychological Association, (5th Edition) or www.apastyle.org. Careful attention should be given to spelling, punctuation, source citations, references, and the presentation of tables and figures. Other resources are: The Elements of Style (Strunk and White), 100 Ways to Improve Your Writing (Provost) and the Utica College Writing Center at Hubbard Hall, Room 216.

Timeliness (F2F & Online) It is expected that all course work will be presented on time and error free. Work submitted online should follow standard procedures for formatting and citations. Since most of our class work is performed in team format, students have a responsibility to their team and this class. They must make arrangements with the team leader for missed participation. Except for military service, verifiable medical leave or bereavement leave, there will not be any late grading.

Students should respect the learning atmosphere of others by not coming in late or leaving early.

Academic Integrity and Plagiarism (F2F & Online) Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid (electronically or in person) on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person’s idea or product as ones own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another’s written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources to material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources. The penalties for plagiarism or intentional cheating include a zero or a grade of F on the work in question, a grade of F in the course, suspension with a file letter, suspension with a transcript notation, or expulsion. Students may learn more about Utica College’s formal policies at: http://www.utica.edu/academic/catalog/academicregulations.pdf

Attendance (F2F) Attendance will be taken in order to comply with college administrative requirements. Consistent with Criminal Justice Department and the new Cybercrime, Computer Forensics & Information Assurance policies, grading penalties will be imposed for excessive lack of attendance. The Department has defined “excessive” as more than three (3) unexcused absences from classes that meet three times a week or two (2) unexcused absences from class that meets twice a week. The penalty for additional unexcused absences is the demotion of one letter grade for each additional unexcused absence.

Disabilities (F2F & Online) Any student who needs an accommodation due to a disability should make an appointment to discuss the accommodation. A memo from the Coordinator of Learning Services authorizing the accommodation is required (Kateri Henkel, khenkel@utica.edu, 315-792-3032).

Course Evaluations (F2F & Online) Feedback on each undergraduate course and instructor is important to the College, your professor, and to all students. Utica College has the responsibility to assess the effectiveness of classroom instruction, and each student has the responsibility to provide accurate and timely feedback through completion of the course evaluation form.

Email Messages (F2F & Online) Please remember to put [CRJ 355] in the Subject of every email. In my online courses, the volume of email and attachments is significant.

Attendance (F2F) Class attendance will be recorded in random classes during the semester. Unexcused attendance(s) affects negatively both your individual participation grade and your team’s performance. Those involved in sports please contact your respective coaches to provide me a written schedule for practice sessions and games so that you do not get marked absent.

P2P Team Evaluations and Performance (F2F & Online) 80% of our course is Team-Based. Further, the mid-term and final projects are very asymmetric. There is no book or reference or “quick-guide” or URL that has the specific answers. The goal is to present a reasonable and logical team-solution to a difficult (even unusual) assignment based on best information security practices and technologies gleaned from your research and our class materials. Your grade is determined by how well your team accomplishes this goal working collaboratively. We think, learn, evaluate, problem-solve, generate ideas and possibilities and write better as a team. Research confirms that teams consistently out-perform the “star” individualist. This is real world. Information assurance issues in organizations are rarely assigned to one person – regardless of how strong or technically adept that he/she is. They solve the big problems in real time, team format, with collaborative working sessions.

Over my career, I have found that teams work effectively – most of the time. In general, all team-members receive the same grade on exams and projects. This policy is subject to the P2P (peer-to-peer) team evaluation process. When a team does not interact well as a team or one member intentionally does not participate effectively, or when the team leader is at terrible odds with the team itself and refuses to be flexible or improve the “lens of understanding,” we have the P2P policy to fall back on. P2P’s may optionally submitted (for the semester) by any team or team member within one week after the final project/exam. P2P’s are strictly confidential and I maintain these records for many years. Students are subject to an individual grade penalty of up to 20% of their grade if their overall performance is found deficient by a majority of their team-members. The team keeps the score-card on itself. As a practical matter, I discourage the formal P2P process and encourage teams and team leaders to solve their own problems “in-house.” I will be glad to help and encourage positive results in our teams in every way I can before using the P2P disincentive. Students receiving a reduction of grade based on the P2P process will be notified by me in writing.

Cell / Picture Phones, Palm pilots and Pagers (F2F) Turn off all your electronics before entering our class. These devices are enormously disturbing and rude to your fellow students and me. Frankly, We are more important! Use of these devices during class or especially during an exam, may earn you an F for the class session or on your test. Further, you will need to show cause why you should remain in my class for the balance of the semester.

Food (F2F ) The Golden Rule applies. Strive to leave the classroom in better shape than when you entered it. “Pay it forward”, it works!

Class Discussions (F2F & Online) We bring differing points of view to this class. Participation is not only encouraged but many times I will put a fire under the class to analyze issues with variety of perspectives. Be prepared to take the side of a brisk discussion (not argument or personal attacks) that is in conflict with your own. Challenge yourselves – especially when solving asymmetric team problems. Respect and professionalism are the operative guidelines for our discussions.

Extra Credit Work (F2F & Online) The punishment for good work is more work and respect. Extra credit assignments (limit one per student per semester) are available for students who enjoy individual achievement, want to learn more and are excited by the material as a possible vocation or sense that they need a few more points to improve their grade. I believe in the “pay it forward” principle. Extra credit assignments (worth up to one grade level) are designed to help my current and future students by developing accurate, current resource materials. Extra credit assignments must be completed on time to be valued. They do not replace any of the normal exams, asymmetric team work, assignments or case studies. “Extra” is the operative word.

Death March Team (DMT) Eligibility Students (F2F & Online) who maintain an A level average in this class may be invited to join the DMT. This is quite an honor. DMT represents a network of over 85 of my active working Graduate students from George Washington University, Towson University, University of Maryland University College, Tulane University, Capitol College, US Army, US Navy, USCG, USJCS, White House, DOD, DHS, FBI National Academy, NSA and major security organizations (SAIC, BAH, ASFT, Anteon, Credant Technologies) that collaboratively work on some fascinating short-term challenges. They evaluate new “beta” technologies, prepare presentations as a team to national conferences, provide speakers for local events, and critique each others papers. It is a network that helps each other find work in senior positions. We always attribute our work professionally; maintain a code of professional ethics and work to improve our profession. We are committed to each other’s professional success. Respect is our currency.

Disclaimers (F2F & Online) This course examines inter alia ethical and legal dimensions of on-line behavior. It is not intended to turn information technology professionals into lawyers. Many of the topics to be discussed will be concerned with the law and legal implications of certain behavior. Every effort is made to provide accurate and complete information. However, at no time during this course will legal advice be offered. Any student requiring legal advice, should seek services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore technology and management issues related to elements of holistic information security. Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored. Students are reminded that it is a violation of Federal and some state’s laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems to which they have been granted access. At no time in this class should any student violate either laws or confidences.

This class is not about pushing the envelope or hacking, and any violation of legal boundaries in the course of this class will be considered a violation of the class trust and will be subject to sanctions in grading.

F. References (F2F & Online): (Additional course material may be drawn from these optional readings. They will be available via email or hand-outs from instructor, on WebCT common area, or placed on 3-day reserve at Frank E. Gannett Memorial Library)

Amoroso, E. (2000) Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace back, Traps and Response, Intrusion.Net Books.

Archibald, N., Fogie, S., Kamininsky, D., Long, D., Hurley, C. et.al. (2005) Aggressive Network Self-Defense, Rockland, MD:Syngress.

Bidgoli H., Editor-in-Chief. (2006) Volume 1: Handbook of Information Security: Key Concepts, Infrastructure, Standards, and Protocols. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 2: Handbook of Information Security: Information Warfare; Social, Legal and International Issues; and Security Foundations. Hoboken, New Jersey: Wiley.

Bidgoli H., Editor-in-Chief. (2006) Volume 3: Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management. Hoboken, New Jersey: Wiley.

Brown, C. L.T. (2006) Computer Evidence: Collection & Preservation, Hingham, MA: Charles River Media.

Casey, E. (ed) (2000) Digital Evidence and Computer Crime, Academic Press.

Casey, E. (ed) (2002) Handbook of Computer Crime Investigation: Forensic Tools and Technology. Academic Press.

Caswell, B. (2003) Snort 2.0 Intrusion Detection, Syngress.

Cordesman, A.H. (2002). Cyber-Threats, Information Warfare, and Critical Infrastructure Protection: Defending the U.S. Homeland. Westport Connecticut: CSIS publications.

Curts, R.J. & Campbell, D.E. (2003). Building a Global Information Assurance Program. New York: Auerbach.

Dorothy, D. (1999). Defending the Nation: Information Warfare and Security. Boston: ACM Press.

Erbschloe, M. (2003) Guide to Disaster Recovery. Boston: Thomson Course Technology.

Evers, D. H., Glover, T. J., Glover, T.M. & Miller, M.E. (2006) Pocket Partner,
4th ed. Littleton, CO: Sequoia Publishing.

Fair, T., Nordfelt, M., Ring S. & Cole, E. (2005) Cyber Spying, Rockland, MD: Syngress.

Farmer D. & Venema, W. (2005) Forensic Discovery, Upper Saddle River, NJ: Addison Wesley.

Foster, J.C. (2006) Writing Security Tools and Exploits, Rockland, MD:Syngress.

Grimes, R.A. (2003) Malicious Mobile Code: Virus Protection for Windows, O’Reilly.

Hall, W. M. (2003). Stray Voltage: War in the information age. Annapolis, MD: Naval Institute Press.

Hoglund G. & Butler, J. (2006) Rootkits: Subverting the Windows Kernel, Upper Saddle River, NJ: Addison Wesley.

Jones, K.J., Bejtlich R. & Rose, C.W. (2006) Real Digital Forensics: Computer Security and Incident Response, Upper Saddle River, NJ: Addison Wesley.

Lekkas, P.C. (2003) Network Processors: Architectures, Protocols and Platforms, McGraw-Hill.

Lewis, J.A. (December, 2002) Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats. Center for Strategic and International Studies. Washington, DC.

Long, J. (2005) Google Hacking, Rockland, MD:Syngress.

Long, J., Bayles, A.W., Foster, J.C. et.al. (2006) Penetration Tester's Open Source Toolkit, Rockland, MD:Syngress.

Middleton, B. (2001) Cyber Crime Investigator’s Field Guide. Auerbach Press.

National Science and Technology Council. (April, 2006) Federal Plan for Cybersecurity and Information Assurance Research and Development, Report by the Interagency Working Group. Arlington, VA: NCO/NITRD. Available from www.nitrrd.gov

Nelson, B., Phillips, A., Enfinger, F. & Steuart, C. (2004) Guide to Computer Forensic and Investigations, Thomson Course Technology: New York.

Nichols R. K, Ryan, D. J., & Ryan, J.C.H. (2002) Defending your Digital Assets, Against Hackers, Crackers, Spies and Thieves, McGraw-Hill.

Nichols, R.K. & Lekkas, P. C. (2002). Wireless Security: Models, Threats, Solutions. New York, NY: McGraw Hill.

Noonan, W.J. (2004) Hardening the Network Infrastructure, NYC: McGraw Hill.

Parker, T., et.al. (2004). Cyber Adversary Characterization. Rockland, MD: Syngress.

Peltier, T. R. (2006). Information Security Risk Analysis.2nd ed. Boca Raton, FL: Auerbach.

Pfleeger, C. & Pfleeger, S.L. (2003) Security in Computing, 3rd ed., PTR.

Pipkin, D. L. (2000). Information Security: Protecting the Global Enterprise. Upper Saddle River, NJ: HP Professional Books.

Prosise, C. (2001) Incident Response: Investigating Computer Crime, McGraw-Hill.

Rattray, G. J. (2001). Strategic warfare in cyberspace. London: MIT Press.

Rosenblatt, K.S. (1996) High-Technology Crime: Investigating Cases Involving Computers, KSK Press.

Schneier, B. (2003). Beyond Fear: Thinking Sensibly about Security in an Uncertain World. New York: Copernicus.

Schwartau, W. (1996). Information Warfare: CyberTerrorism: Protecting Your Personal Security in the Electronic Age. New York: Thunder's Mouth Press.

Skoudis, E. & Zeltser, L. (2004) Malware: Fighting Malicious Code, PH.

Schultz, E., Mellander, J. & Endorf, C.F. (2003) Intrusion Detection, McGraw-Hill.

Secret Service Evidence Best Practices: http://www.secretservice.gov/electronic_evidence.shtml

Shinder, D. L, & Tittel, Ed (editor). (2002) Scene of the cybercrime: Computer forensics handbook. Syngress Shinder Books.

Vacca, J.R. (2003) Computer Forensics: Computer Crime Scene Investigation, Charles River Media.

Verton, D. (2004). Black Ice: The Invisible Threat of Cyber-Terrorism, (ICE) San Francisco: Osborne.

White, J. R. (2004). Defending the Homeland: Domestic Intelligence, Law Enforcement, and Security, New York: Thomson –Wadsworth.

Whitman, M.E, & Mattord, H.J. (2004). Management of Information Security, Boston: Thomson Course Technology.

Whitman, M.E. & Mattord, H.J. (2005) Principles of Information Security, 2nd ed. Boston: Thomson Course Technology.

Yourdon, E. (2002). Byte wars: The impact of September 11 on information technology. Upper Saddle River, NJ: Prentice Hall.