EMSE 298 IN/IN2

The University of Maryland University College
Graduate School

Intrusion Detection, Incident Response, and Computer Forensics
CSMN 683

Welcome to Online CSMN 683: Intrusion Detection, Incident Response, and Computer Forensics. My name is Professor Nichols and I will be your course facilitator during the next intense fourteen sessions. My bio is in the upper left hand corner of WebTycho and this website. You may want to visit my site at http://www.infosec-technologies.com. There is a special section devoted to Intrusion Detection resources, papers, URLS and presentations. Please note the Introductions conference. Please take a minute to introduce yourselves, to the class, with a little background about yourself, courses taken and a few sentences about your expectations about this class. Glad to have you all in my class and look forward to your contributions.

Course Description

The theory, skills, and tools needed in intrusion detection and computer forensics are the major themes in this course The course discusses techniques for identifying vulnerable target systems and types of malicious code, for mitigating security risks, and for recognizing attack patterns. It also presents the conceptual and operational tools necessary for analysis and resolution of problems with respect to effective filters and firewalls, attack tracing, system recovery, continuity of operation, evidence collection, evidence analysis, and prosecution.

Course Objective

Upon successful completion of this course, students should be able to:

Describe the principles of intrusion detection and computer forensics.

Discuss techniques for identifying key systems vulnerabilities.

Describe the major types of malicious code and techniques for mitigating security risk.

Discuss various methods and techniques for recognizing attack patterns.

Explain the various tools used for analysis and resolution of problems with filters and firewalls.

Describe methods of attack tracing, evidence collection, and evidence analysis.

Discuss methods and techniques for systems recovery and ensuring continuity of operations.

Define major legal issues related to criminal prosecution and civil actions.

Course Requirements

The course requirements are as follows:

Exams. There may be up to two exams (open book and open notes) designed to help students improve their understanding of the concepts discussed in the course.

Research Paper. Five teams will be chosen. Group research papers are required.Teams may choose their own topic or I can assign them an ID Attack / Defense Scenario on an enterprise target.

Projects. Students will keep a journal of their experiences with one intrusion detection or computer forensics security penetration tool.

Participation. Students are expected to prepare for each class meeting and participate in the conference discussions on specific ID issues. A defining rubric for participation may be found in the WT course content area.

Required Textbooks:

Kruse II, W.G., & Heiser, J.G. (2002). Computer Forensics: Incident Response Essentials. New York: Addison-Wesley. ISBN 0-201-70719-5

Proctor, P. E. (2001). The Practical Intrusion Detection Handbook. Upper Saddle River, NJ: Prentice Hall. ISBN 0-13-025960-8

American Psychological Association. (2001). Publication manual of the American Psychological Association (5th ed.). Washington, D.C.: APA. ISBN: 1-55798-791-2

Note: Textbooks are available and ready to ship, online, at the MBS (Missouri Book Store), which can be accessed at www.umuc.edu/bookstore.

Format, Group Projects, Journal, Exams and Grading.

Deliverables

There are two deliverables in this course, the Student Team Research Paper and the Student Journal. The former is a major undertaking and requires team resources and collaborative effort. The latter is easy to do with a little effort on a weekly basis.

The Team paper is a hypothetical but complete ID attack and defense scenario developed on an enterprise network target. Equal weight must be addressed by teams for both attack and defense preparations. An after action summary must be part of the team paper and PowerPoint Presentation.

Student Team Research Paper

I believe that teamwork works to foster learning and better research. We will not do individual research papers. Instead, we will develop group research paper/project paper. Teams will be assigned topics for the scenarios and may sign up first come first served.

The body-length of the paper is 10-15 pages per group member, in New Times Roman, 10-12 fonts. Each group will virtually present and post a PowerPoint Presentation of approximately 30- 50 slides to demonstrate their research to the class. Paper length may vary due to Quality of information not Quantity of information delivered.

Student Journal

For your student presentation, I want you to download intrusion detection software (freeware or demo copies) and experiment with it to see how effective it is. Keep a journal of every step of the process and post it weekly to the journal conference. This will give each of us a wide range of experiences with tools in this discipline.

On-Line Format

The format of the class will be Socratic style. I will post questions in the homework conferences for you to respond to. There will be accompanying lecturettes and slides to assist you with the subject matter. I do ask that you use literature references in your responses. APA referencing will be required. I have posted the group paper requirements in the class issues conference. I have also posted sign up topics for you to use to join a group. As soon as groups are filled I will assign you to them.

Grading

The final grade will be determined as follows:

Midterm Exam/Special Projects -- 25% each
Final Exam/Group Research Paper and PowerPoint Presentation -- 35%
Weekly Discussion Participation -- 20%
Student Journal -- 10%

Bullets - regular submissions of "Bullets" or webliography are required and worth 10% credit on overall grade.

Administrative

Professor: Randall K. Nichols

Contact Information:

Availability:
Mobile:
Fax:
Business E-Mail:
Student E-Mail:
Website:

10:00AM - 10:00 PM EST
717-329-9836
717-258-5693
cto@infosec-technologies.com
profrknichols@comcast.net
www.infosec-technologies.com

Virtual Hours

Our virtual week goes from Monday through Saturday. Many clear-weather Saturdays and Sundays I am on the Chesapeake Bay onboard the CRYPTO-WIZ. This is not a good time to call me. Satellite coverage is good but my brain coverage is noisy. The rest of the week, you can call or e-mail me anytime between 1000-2200 Hrs EST. It is not unusual for me to respond to your e-mails as late as 0400 Hrs EST. I usually return e-mail within 24 hours. When you respond to me, use your e-mail Reply option and include the last message so I know what our conversation was about. I'll do the same for you. If you do not hear from me within this timeframe, please do not hesitate to e-mail me again, as I may not have received your e-mail. When you e-mail me, please include in the subject line the course identifier number and the topic of your e-mail. Also please include your name in the text message, as some e-mail addresses give no clue as to their owners.

Participation

I expect students to participate regularly to conferences, e.g., 2-3 times a week. You should plan on participating just as though you are having an ongoing conversation. This means that you may want to check the conference a few times a week and respond to what you see there and engage others in a simulated dialog. Use the sort by Date and Author features as well as the "Read All Notes" button to help you speed through the new postings. Please "talk" to one another during the week as well as to me when you are addressing any topical discussions we have. It's impossible to have much of a thoughtful conversation if everyone saves participation in the discussion for late Sunday night.

As part of your participation and response, you may hyperlink websites or materials from your own web page if they enhance your participation. I evaluate participation on its thoughtfulness, engagement, and insight and web-courtesy. Flames are not an appropriate response to genuine interest or questions.

Submitting Assignments

Please submit your assignments in HTML, RTF, or plain text when they are due. You may post them to the Assignment Area (or send them as attachments to email). You will lose 10% of the assignment grade for an assignment for each day late.

Please keep copies of all assignments that you send to me and all that I return to you with my comments. If you revise an assignment, please send your original with my comments, along with the revised assignment, in the same email. Note that you have revised the assignment and what you think you did to improve the original.

Getting Help

Help is available at 1-800-807-4862 or by email at webtychosupport@umuc.edu. Have your login ID, password, and your class and section numbers when you call or include them in your email. Include information about your browser; system or any other details you think will be needed by the folks at WebTycho Help and Support to assist you. Cut and paste the actual error notices that pop up for even better responses.

Summing Up a Successful Online WebTycho Student

A successful WebTycho student is one who reads the materials thoroughly before responding, participates regularly, engages the material and others with enthusiasm and courtesy, schedules time to do the work, asks for help when it is needed, interacts with others in the class, is self-motivated, turns in well-drafted, proofed assignments, and keeps copies of all work and my responses in case of an emergency.

Okay, now that we gone over the basics, ask me about anything that may be unclear, and good luck on a successful course! I look forward to working with you all.

Course Schedule

Week	Module/Dates	Readings/Assignment(s)
1	SESSION 1	Introduction and Course Overview · Course Overview · Security versus Business · Intrusion Detection · Computer Forensics Readings: Proctor, Chapters 1-2
2	SESSION 2	Intrusion Detection Systems · Network-based Detection · Host-based Detection · Architectures and Operational Concepts · Benefits of Network-based Detection and Host-based Detection · Challenges for Network-based Detection and Host-based Detection Readings: Proctor, Chapters 3-4
3	SESSION 3	Detection Technology, Techniques and Myths · Network and Host Detection Mechanisms · Packet Header (Traffic) Analysis · Signatures of all Kinds (Host-based, Compound, Detection Mechanisms) · Anomaly Detection Techniques · Intrusion Detection Myths Readings: Proctor, Chapters 5-6
4	SESSION 4	Effective Use of Forensics and Behavioral Forensics · Detecting Outsider and Insider Misuse · Attack Anticipation · Behavioral Data Forensics and Data Mining · Damage Assessment Readings: Proctor, Chapters 7-8
5	SESSION 5	Computer Forensics and Tracking Offenders · Computer Forensics · Internet Fundamentals · Some Techniques in Tracking Offenders · Some Methods of Tracing Email and News Posting Readings: Kruse, Chapters 1-2
6	SESSION 6	Examining Hard Drives and Storage Media · The Basics of Hard Disks · Operating System Issues · The Basics of Storage Media Readings: Kruse, Chapter 3
7	SESSION 7	Midterm Exam or Fuji/ Special team presentation
8	SESSION 8	Encryption and Forensics · Encryption, Encoding, and Compression · Data Transformation for Forensic Purpose · Methods for Attacking Encrypted Text · Time Stamping Readings: Kruse, Chapter 4
9	SESSION 9	Data Hiding and Hostile Code · Cracking Encryption Applications · Hiding and Finding Data · Steganography · Hostile Code · Ways Used by Hostile Code Readings: Kruse, Chapters 5-6
10	SESSION 10	Forensics Toolkit · Hard Drive Tools (Fdisk and PartitionMagic) · Viewers (Quick View Plus and ThumbsPlus) · CD-R Utilities · Text Searches · Forensic Programs (EnCase) · Special Forensic Hardware Readings: Kruse, Chapter 7
11	SESSION 11	Forensic Examination of Windows Computers · Examining MAC, Registry Entries, and Recycle Bin · Extracting Password Files · Windows Email · Windows Operating Systems Forensic Tips (95, 98, NT, 2000) · System Tools Readings: Kruse, Chapter 8
12	SESSION 12	Forensic Examination of UNIX Computers · Unix Filesystems, Text Filters, and ?Forensic? Commands · Typical Host Exploits for Taking Control · Finding Tracks and Collecting Evidence · Level of Intrusion Response and Systems Compromise · Signs of Hostile Processes and Analyzing Unknown Code · Filesystems, Logs, Auditing, and Accounting Controls Readings: Kruse, Chapters 9-11 Student Journals Due by 2359 EST Saturday
13	SESSION 13	Incident Response, Legal Issues, and Criminal Justice · Incident Response Guidelines and Incident Response Handling · Law Enforcement and Criminal Prosecutions · Due Care, Evidentiary Issues, and Chain of Custody · Documenting Economic Loss Readings: Kruse, Chapter 12, Appendix A, and Appendix B Proctor, Chapter 15 All Homework Conferences Due
14	SESSION 14	Final Exam / Collaborative Team A/D paper and PowerPoint presentations due by 2359 EST Saturday

Additional Information

On Intrusion Detection:

Chris Prosise and Kevin Mandia, Incident Response and Computer Forensics,
McGraw-Hill, 2001.
Chris Prosise, Incident Response: Investigating Computer Crime, McGraw-Hill,
2001.
Eugene Schultz, Jim Mellander and Carl F Endorf, Intrusion Detection,
McGraw-Hill, 2003.
Rebecca Gurley Bace, Intrusion Detection, Que, 1999.
Mark Cooper, Intrusion Signatures and Analysis, Que, 2001.
Kenneth R. Van Wyk and Richard Forno, Incident Response, O'Reilly, 2001.
Edward Amoroso, Intrusion Detection: An Introduction To Internet Surveillance,
Correlation, Trace back, Traps and Response, Intrusion.Net Books, 2000.
The HoneyNet Project, Know Your Enemy: Revealing the Security Tools, Tactics,
and Motives of the Blackhat Community, Addison Wesley, 2001.
Aviel D. Rubin, White-Hat Security Arsenal: Tackling the Threats, Addison
Wesley, 2001.
Stephen Northcutt, Inside Network Perimeter Security: The Definitive Guide to
Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems, Que, 2002.
Brian Caswell, et al, Snort 2.0 Intrusion Detection, Syngress, 2003.
Keith J Jones, et al, Anti-Hacker Toolkit, McGraw-Hill, 2002.

On Computer Forensics:

Warren G Kruse II and Jay G. Heiser, Computer Forensics: Incident Response
Essentials, Addison Wesley, 2002.
Tony Sammes and Brian Jenkinson, Forensic Computing: A Practitioner?s Guide,
Springer, 2000.
Michael A. Caloyannides, Computer Forensics and Privacy, Artech House, 2001.
Proctor, P. E. The Practical Intrusion Detection Handbook. Prentice Hall,
2001.

On Computer Crime Investigation:

Eogham Casey (ed), Handbook of Computer Crime Investigation: Forensic Tools and
Technology, Academic Press, 2002.
Bruce Middleton, Cyber Crime Investigator?s Field Guide, Auerbauch, 2001.
John R. Vacca, Computer Forensics: Computer Crime Scene Investigation, Charles
River Media, 2003.
Eogham Casey (ed), Digital Evidence and Computer Crime, Academic Press, 2000.
Kenneth S. Rosenblatt, High-Technology Crime: Investigating Cases Involving
Computers, KSK, 1996.
Gerald L Kovacich and William C Boni, High-Technology Crime Investigators
Handbook: Working In the Global Information Environment, B&H, 2000.

On CyberTerrorism:

Dan Verton, Black Ice: The Invisible Threat of Cyber-Terrorism, Osborne, 2003.
Alan D. Campen, et.al, Cyberwar: Security, Strategy and Conflict in the
Information Age, AFCEA, 1996.
James Adams, The Next World War: Computers are the Weapons & The Front Line is
Everywhere, Simon & Schuster, 2001.
Peter Pitorri, Counter-Espionage for Business, BH, 1998.

On Identity Theft:

John R. Vacca, Identity Theft, PTR, 2003
Sheldon Charrett, The Modern Identity Changer: How To Create a New Identity for
Privacy and Personal Freedom, Paladin, 2002.
Ragner Benson, Acquiring New ID: How To Easily Use the Latest Computer
Technology to Drop Out, Start Over, and Get on with your Life, Paladin, 2002.
Anonymous, New ID in America: How To Create a Foolproof New Identity, Paladin,
1983.
Joseph J Culligan, You Too Can Find Anybody, self-published, 1999.

On Computer-Espionage:

Joel McNamara, Secrets of Computer Espionage: Tactics and Countermeasures,
Wiley, 2003.

On Hacking:

Jon Erickson, Hacking: The Art of Exploitation, No Starch Press, 2003.
Rob Flickenger, Wireless Hacks, O?Reilly, 2003.
Stuart McClure, et.al, Web Hacking: Attacks and Defense, Addison Wesley, 2003.
Joel Scambray, Stuart McClure, George Kurtz, Hacking Exposed, 2nd ed, Osborne,
2001.
Christian Barnes, et.al, Hack Proofing Your Wireless Network, Syngress, 2002.
Wallace Wang, Steal This Computer Book 3, No Starch Press, 2003.
Ryan Russel, et.al, Stealing the Network: How To Own the Box, Syngress, 2003.
Michael O'Dea, Hack Notes: Windows Security, Osborne, 2003.

On INFOSEC:

Carl A. Roper, Risk Management for Security Professionals, B&H, 1999.
Randall K Nichols, Daniel J Ryan and Julie JCH Ryan, Defending Your Digital
Assets Against Hackers, Crackers, Spies and Thieves, McGraw-Hill, 2000.
Edward Yourdon, Byte Wars: The Impact of September 11 on Information
Technology, PH, 2002.
Bruce Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain
World, Copernicus, 2003.
Mitch Tulloch, Microsoft Encyclopedia of Security, Microsoft, 2003.
Michael Cross, et.al, Security +, Syngress, 2003.
Mark G Graff & Kenneth R van Wyk, Secure Coding: Principles and Practices,
O'Reilly, 2003.
Randall K Nichols and Panos C. Lekkas, Wireless Security: Models Threats and
Solutions, McGraw-Hill, 2002.
Merritt Maxim & David Pollino, Wireless Security, RSA Press, 2002.

On Biometric Security:

John Chirillo and Scott Blaul, Implementing Biometric Security, Wiley, 2003.
Anil Jain, Ruud Bolle and Sharath Pankanti, Biometrics: Personal Identification
in Networked Society, KAP, 1999.

On Malware:

Ed Skoudis and Lenny Zeltser, Malware: Fighting Malicious Code, PH, 2004.
Roger A Grimes, Malicious Mobile Code: Virus Protection for Windows, O'Reilly,
2003.

On Network Applications:

Panos C. Lekkas, Network Processors: Architectures, Protocols and Platforms,
McGraw-Hill, 2003.
Matt Bishop, Computer Security: Art and Science, Addison Wesley, 2002.
Gregory B White, et.al, Computer System and Network Security, CRC, 1997.
Frederick Cooper, et.al, Implementing Internet Security, New Riders, 1996.
Vijay Ahuja, Network & Internet Security, Academic Press, 1996.
Charles Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 3rd ed,
PTR, 2003.

Computer Forensics Training Materials

Forensic Computer

http://www.net.ohio-state.edu/security/talks.shtml

Investigations: Slides:

http://www.net.ohio-state.edu/security/talks/2001-10_forensic-computer-investigations

http://staff.washington.edu/dittrich/misc/sansfire.tgz
Honeynet Project Forensic Challenge course materials, SANS FIRE 2001

http://www.blackhat.com/html/training-usa-00/bh-usa-00-trainers.html
Training Ninja at Black Hat '00

http://www.washington.edu/People/dad/#forensics
Computer Forensics resources and web sites

http://www.computer-forensics.com/
Computer Forensics Computer Crime - Articles

http://www.forensics.com/resources/frame.htm
Computer Forensics Inc | Resources - Articles

http://www.forensics-intl.com/info.html
Information and Resources from New Technologies, Inc.

http://www.cops.org/forensic_examination_procedures.htm
Forensic Examination Procedures, Hard Disk Examination, Floppy Disk
Examination, and Limited Examinations

http://secinf.net/cgi-bin/htsearch.cgi?words=forensics
37 Computer Forensic Articles at Network Security Library

http://www.robertgraham.com/pubs/firewall-seen.html
Firewall Forensics

http://www.infowar.com
Best Practices for Seizing Electronic Evidence

http://www.wetstonetech.com/papers.htm
Articles by WetStone Technologies - Intrusion Detection, Cyber Forensics, Data
Integrity

http://www.engr.iupui.edu/ifi/articles/index.html
Articles on Forensic Digital Imagery by the Institute for Forensic Imaging

http://www.tisc2001.com/newsletters/27.html
Internet Forensics: Common Tools, by Dr. Bill Hancock, CISSP

http://project.honeynet.org/papers/forensics/
Know Your Enemy: A Forensic Analysis - The Study of an Attack

http://staff.washington.edu/dittrich/misc/forensics/
Basic Steps in Forensic Analysis of Unix Systems
http://www.net.ohio-state.edu/security/talks/2001-10_forensic-computer-investigations/
http://www.net.ohio-state.edu/security/talks/2001-08_forensic-computer-investigations/
http://www.net.ohio-state.edu/security/talks/2001-06_forensic-computer-investigations/
http://www.net.ohio-state.edu/security/talks/2000-12-05_forensic-computer-investigations_lisa/
Forensic Computer Investigations Slide Presentations

http://networking.earthweb.com/netsecur/article/0,,12084_600461,00.html
Computer Crime Investigator's Toolkit: Part I
Part 2: http://networking.earthweb.com/netsecur/article/0,,12084_600471,00.html
Part 3: http://networking.earthweb.com/netsecur/article/0,,12084_600481,00.html
Part 4: http://networking.earthweb.com/netsecur/article/0,,12084_600491,00.html

Forensic Tools:

Desktop Surveillance <http://www.toolsthatwork.com>
DriveSpy <http://www.digitalintel.com/>
Encase <http://www.guidancesoftware.com/>
Forensic Utility Suite <http://www.lc-tech.com>
Forensic Toolkit <http://www.accessdata.com>
FSuite <http://www.keycomputer.net>
Ghost <http://www.symantec.com>
ILook <http://www.ilook-forensics.org>
Image Master <http://www.ics-iq.com/products_cat_fr.cfm>
Maresware <http://www.maresware.com/>
Norton Utilities <http://www.symantec.com>
Partition Magic <http://www.powerquest.com>
Password Toolkit <http://www.accessdata.com>
PDA Seizure <http://www.paraben.com>
Pictuate <http://www.pictuality.com>
Safeback <http://www.forensics-intl.com/>
Snapback <http://www.cdpi.com>
Thumbs Plus <http://www.cerious.com/>
Trellian-FTP <http://www.trellian.com>