CS449/649 : Computer and Internet Forensics

Course Syllabus

Spring, 2026

(MW, 10-11:15; TBE B-172)

Instructor:

Prof. Hal Berghel; office: TBE B-378A; phone: 702-895-2441;

pick one: {hal.berghel \\unlvdomain, hlb \ \acm/ /org, hlb \ \computer/ /org }

office hours: Monday-Friday - 8:30 am to 9:50 am and by appointment.

Teaching Assistant: Natalie Tong (tongn2 \\unlv.nevada // edu)

 

 

General notes:

  1. The Syllabus for this course will be maintained on the instructor's website at www.berghel.net/sat
  2. The assigned readings will come from online resources.  URLs for the readings will be listed in the syllabus under "reading assignments." Note that reading assignments are for the current syllabus entry (i.e., read the assignment for the next class ahead of class). Exam questions regarding the assigned readings will be taken from the course Study Guide. the value of which will be clearly indicated on the assignment.
  3. UNLV POLICIES AND RESOURCES
    1. The current UNLV policies that govern instruction are posted on the website of the The Office of the Executive Vice President and Provost at https://www.unlv.edu/policies/students.
    2. In addition, these resources may be of interest:
      1. Writing Center Statement
      2. Tutoring Availability
      3. UNLV Annual Security Report
      4. UNLV campus police crime log
      5. UNLV Institutional Metrics

    3. CLASS POLICIES
      1. EXAMS: All exams are closed book, closed notes, all electronic devices turned off. Any student caught with an active mobile device during an exam will receive a grade of F for the exam.
      2. GENERATIVE AI: All students are responsible for submitted work, irrespective of tools used to create it. Any use of generative AI to create content or make translations for use in coursework must be completely transparent and acknowledged in the submitted work. A minimum for complete transparency will include disclosure of (a) acknowledgement of the use of GenAI, (b) name of GenAI tool(s), and (c) identifying the "imported" GenAI content in the document(s) affected (either by quotation, footnote, or endnote). Further students must retain the complete GenAI content until the end-of-term should this be requested for comparison purposes. It must be noted that any use of GenAI must be consistent with existing intellectual property laws and UNLV policies.
      3. ATTENDANCE: Attendance will be taken. Students with at most 1 (one) unexcused absence (e.g., due to health problems, religious holidays, official UNLV activities) as recorded by the classroom attendance sheet, will receive a bonus of 10% on their lowest exam grade. For this purpose, class attendance will mean attending for the entire class period (late arrival/early departure do not count as full attendance).
      4. GRADING SCALE : Grading will be on a standard "university scale," i.e., 90-100=A; 80-89=B; etc. Exam grades are curved to ensure that the average is at least 75%.
      5. FINAL GRADE: A tentative grade will be determined by averaging the regular exams during the semester and applying the "university scale" and adding any bonus that might apply. You are only required to take the final exam if you wish to attempt to improve your grade. If you are satisfied with this grade, you need not take the final exam. If you wish to improve your course grade, your final grade will be averaged in with your semester grade according to a formula announced in class during dead week.
      6. SEMESTER PROJECT(CS649 only): Students enrolled in CS649 will be required to complete a semester project or report relating to Computing and Network Forensics in addition to the normal coursework. Details are to be negotiated with the instructor on an individual basis before the first class period during the fifth week of the semester..

      Course Description:

      Basics of Computer Forensics and Internet Forensics. How to protect your privacy on the internet: E-mail, obfuscation, web sites and servers. Encryption, data hiding, and hostile code. Investigating Windows and Unix. Technical and legal issues regarding digital evidence collection and forensics analysis. Prerequisites: CS202 and junior standing. 3 credits.

      Course Materials:

      1. Most reading assignments will either relate directly to the course notes/slides provided on this syllabus, or will be public domain material linked to this syllabus. In addition, you may find the following resources of value.
        1. SANS Resources
          1. SANS IPv4 TCP/IP and tcpdump Pocket Reference Guide (The version that will be attached to relevant exams)
          2. Lenny Zeltser's Reverse Engineering Malware FAQs
        2. Instructor's Notes
          1. Instructor's notes on Positional Number Systems and Boolean Algebra
          2. Instructor's notes on TCPdump commands and filters
          3. Instructor's study guide to selected reading assignments
        3. Instructor's Online Resources
          1. Better Than Nothing Security Practices
          2. The Packet Pal Primer (an Internet Protocol Resource)
          3. The CGI-Bin Bin (a guide to CGI programming circa 1996
          4. The World Wide Web Test Pattern (find out what the 1990's browser wars were about interactively)
        4. Instructor's TCP/IP Lecture Slides (CS448/648 & CS449/649)
          1. IPv4
          2. TCP/UDP
          3. ICMP
          4. DNS-ARP
          5. HTTP
          6. BGP
          7. IPsec
          8. Instructor's Online Packet Guide: Packet Pal Primer
        5. Wikipedia search terms relevant to lectures
          1. TCP/IP Protocols:
            1. IP & ARP: {Internet protocol suite, Classful network, Subnet, Classless Inter-Domain Routing, Supernetwork, IPsec, Network address translation, Address Resolution Protocol,
              Link layer }
            2. TCP & UDP: {Transmission Control Protocol, Sliding window protocol, 3-way handshake,
              TCP/IP stack fingerprinting, User Datagram Protocol}
      2. Useful Online References:
        1. TCP/IP References
          1. Charles Kozierak's TCP/IP Guide (online): http://tcpipguide.com/free/
        2. Wireshark References
          1. Wireshark Capture Filter Expressions: http://wiki.wireshark.org/CaptureFilters
          2. Wireshark Sample Captures: http://wiki.wireshark.org/SampleCaptures#ARP.2FRARP
        3. Forensics Papers
          1. Carrier, Brian and Eugene Spafford, "An Event-Based Digital Forensic Investigation Framework"
          2. Carrier, Brian: "Defining Digital Forensic Examination and Analysis Tools"
          3. Carrier, Brian: "Performing an Autopsy Examination on FFS and EXT2FS Partition Images"
        4. Manuals
          1. WinDump Manual
          2. Notes on TCPdump and Windump
          3. Snort Commands
          4. ASCII Table
          5. Packet Pal Primer
          6. Berghel/Hoelzer: Pernicious Ports, CACM, December, 2005
          7. Wireshark Display Filters
        5. Trusted-Source Network in Digital Security
          1. Schneier on Security - the most accurate security blog on the internet
          2. Krebs on Security - the best general-purpose security blog on the internet
        6. Watchlist of Future Threat Vectors
          1. Election Fraud and Digital Ballot Boxes:
            1. The Verified Voting Foundation
            2. The VVF's Principles for Voting Systems
          2. The NSA ANT Catalog
          3. The DIY Ransomware software ad from the Isle of Man March 2, 2017
          4. CIA Tradecraft DOs and DONT's for Malware Development (text; src: Wikileaks; cf. esp. "(U) Networking"). See also Helpful(?) coding tips from the CIA's school of hacks, Ars Technica, March 8, 2017
          5. The NSA's Media Engagement (aka: Deception) Plan
          6. Micah Lee, It's Impossible to Prove your Laptop hasn't been Hacked.....", The Intercept, April 28, 2018.
          7. Micah Lee, Edward Snowden's New App uses your smartphone to physically guard your laptop, The Intercept, December 27, 2017.
        7. Interesting Digital Archives
          1. IEEE Computer Society's Computing Conversations by Chuck Severance
          2. AT&Ts Tech Channel
        8. Dan Kaminsky's Black Ops Series
        9. Relevant Videos
          1. Whitfield Diffie: Information Security - Before and After Public-Key Cryptography; Computer Museum
          2. Vint Cerf on the History of Packets(video)
          3. The Cloud Conspiracy 2008-2014 by Calpar Bowden[31c3, Dec. 2014]
          4. NSA: Tell No One by James Bamford [31c3, Dec. 2014]
        10. Innervation
          1. Dr. Chuck's iPad Steering Wheel Mount
          2. the ill-fated Clipper Chip
        11. GenerativeAI
          1. H. Berghel, An Overview of Generative AI Acceptable Use Policies by Universities With Top 25 Computer Science Programs (2025) IEEE Computer, September, 2025. doi: 10.1109/MC.2025.3587371.
          2. D. Berry, Why Large Language Models Appear to Be Intelligent and Creative: Because They Generate Bullsh*t!, IEEE Computer, June, 2025. doi: 10.1109/MC.2025.354745
          3. H. Berghel, Generative Artificial Intelligence, Semantic Entropy, and the Big Sort, IEEE Computer, January, 2024. DOI: 10.1109/MC.2023.3331594
          4. H. Berghel, Cyberdidacticism: The New Epistemic Paradigm..., IEEE Computer, 58:5 (2025) DOI: 10.1109/MC.2025.3548920
          5. Google Threat Intelligence Group, Adversarial Misuse of Generative AI, 2025 January.
          6. E. Shein, The Impact of AI on Computer Science Education CACM, July 30,2024: DOI: 10.1145/3673428
          7. R. Thubronk University cancels publication of coding competition results over AI cheating fears, Techspot, April 28,2025.
          8. K. Hawkinson, ChatGPT use linked to cognitive decline, research reveals, the Independent, 20 June, 2025.
          9. M. Lepp, J. Kaimre, Does generative AI help in learning programming: Students perceptions, reported use and relation to performance. Computers in Human Behavior Reports, May 2025
          10. Gary Marcus on the Massive Problems Facing AI and LLM Scaling (YouTube, Jan 19, 2026)
          11. F. Neffke, et al, AI is already writing almost one-third of new software code, Complexity Science*Hub, 22.01.2026
          12. S. Daniotti, et. al, Who is using AI to code? Global diffusion and impact of generative AI Science, 22 Jan 2026.
        12. Miscellaneous
          1. PRPL's: Security Guidance for Critical Areas of Computing, January, 2016
          2. Dylan Curran, Are you ready? Here is all the data Facebook and Google have on you, The Guardian, March 30, 2018
          3. Bruce Schneier: The Security Mirage (Online TED presentation)
  4. Recommended References: (although not required, these are standard references for computer and Internet forensics).
    1. Brian Carrier, File System Forensic Analysis, Addison-Wesley, Reading
    2. Charles Kozierok, TCP/IP Guide, NoStarch Press, San Francisco (2014)
    3. Sherri Davidoff and Jonathan Ham, Network Forensics: Tracking Hackers through Cyberspace, Prentice-Hall (2012)
    4. Laura Chappell, Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, Laura Chappell University (2010)
    5. Laura Chappell, Wireshark Network Analysis, 2nd ed., Chappell University (2012) [she has several good books on Wireshark, but this is the best IMHO]
    6. Charles and Shari Pfleeger, Security in Computing, Prentice Hall (2007)
    7. Gordon Fyodor Lyon, NMAP Network Scanning, Nmap Project (2009) (partially online @ nmap.org)
    8. John Vacca (ed.): Computer and Information Secutiy Handbook, Elsevier (2013) [a useful, encyclopedic approach]
    9. Dave Roberts, Internet Protocols Handbook, Coriolis Group (1996) [an oldie and a goodie - still a useful introduction to TCP/IP. If you can find this in a used bookstore for a few bucks, grab it - it's still a handy (if outdated) reference]
    10. Ferrara, et al, CyberLaw: Text & Cases, SouthWestern Cengage Learning, 3rd ed, 2012.
    11. Abraham Wagner and Nicholas Rostow, Cybersecurity and Cyberlaw, Carolina Academic Press, 2020.

    ABET Course Outcomes

    By the end of the term, you will:

      Part I: Network Forensics

    1. Understand Core TCP/IP Protocols
      • Understand anomalous packet traffic and the role of RFCs in defining Internet Protocols
      • Understand the OSI and TCP/IP network models and their inter-relationship
      • Understand how ARP and DNS function
      • Understand the role of data fields and flags within TCP/IP packets
      • Understand the TCP 3-way handshake
      • Understand the operation of packet-based networks
      • Understand common network topologies
      • Understand the fundamentals of packet analysis in threat detection
    2. Understand the use of Packet Analysis and Packet Crafting in Digital Forensics
      • Understand the basic tools for Packet Analysis at the network and transport layer
      • Understand the basic tools for Packet Crafting at the network and transport layer
      • Understand the basic tools for Packet Analysis at the link (aka network access) layer
      • Understand how to analyze common packet headers
      • Understand the concept of protocol encapsulation
    3. Understand Common Threat Vectors
      • Understand common hacking strategies
      • Understand common categories of malware
        • viruses, worms and trojan horses
        • Understand metamorphic and polymorphic exploits
        • Understand zero-day exploits
        • Understand hydra-headed exploits (e.g., Stuxnet, Flame)
      • Understand the role of RFCs in out-of-band packet crafting
      • Understand covert channeling
      • Understand common denial-of-service exploits (DOS, DDOS, Ping-of-Death, etc.)
      • Understand Buffer Overflows
    4. Understand Common Mitigation Strategies
      • Understand Defensive Strategies
        • Why Security-through-Obscurity doesn't work
        • Defense-in-Depth
        • Time-Based Security
        • Monitoring and Auditing
      • Understand Stimulus-Response Theory
      • Understand Firewall Rulebase Construction
      • Understand Intrusion Detection Systems
      • Undersand Intrusion Prevention Systems
    5. Understand Anti-Forensics Strategies
      • Metasploit Project
      • Anonymizing
      • Onion routing and TOR
      • Remailing
      • Understand Encryption

      Part II: Computer Forensics

    6. Understand Basic Computer Forensics Techniques
      • Basic Understanding of a Forensic Workstation
      • Basic Understanding of Computer Forensics Software
        • Encase
        • XWay Forensics
        • FTK
        • Sleuth Kit
      • Understand the Principle of Evidence Collection and Evidence Handling (esp. Chain-of-Custody and Evidence Integrity) in Forensics Investigations
      • Understand the difference between analysis of live and dead systems
      • Understand the relationships between OS and disk structures
        • Windows-DOS, FAT, FAT32, NTFS, VFAT
        • MAC - HFS
        • Linux - EXT2/3
      • Understand the basics of media analysis vis-a-vis disk structure
      • Understand the concept of and opportunities for data hiding
      • Understand the challenges of live system imaging
      • Understand BRAP forensics
    7. Understand the use of Digital Forensics in:
      • Digital crime (cybercrime)
      • Digital, transnational money laundering
      • Understand basic firewall theory
      • Understand network reconnaissance
      • Network hacks
      • Understand basic data hiding techniques on computers and networks
      • Phishing

    ABET Core Competencies

    1. An understanding the implications, remediation, and avoidance strategies of digital security breaches
    2. Situational awareness of the use of forensics by law enforcement, intelligence agencies, military, terrorists, criminals, and state sponsors.
    3. The ability to distringuish between types of digital forensics, and understand capabilities of each..
    4. You will develop a working knowledge of computer and network forensics and their tools
    5. You will be able to work within a digital security environment
    6. You will understand some of the digital/electronic/computing/networking technologies behind digital forensics

    Tentative Syllabus

    note 1: The UNLV IEEE Xplore digital library institutional license (ieeexplore.ieee.org from any UNLV IP address) and UNLV ACM digital library institutional subscription (dl.acm.org from any UNLV IP address) may be used to access IEEE and ACM assigned readings. In both cases use the title as the search term. Whenever possible, I will provide alternative convenient links consistent with copyright, but I cannot guarantee the persistence of the links.

    note 2: Refer to the Instructor's Study Guide to selected assigned readings in preparation for exams.

    Week of January 19: Topic: Legal Issues in Computing and Information Technology (continued from CS448)

    Weeks of January 26 and February 2: Topic: Introduction to Computer and Media Forensics

    February 3 & 9: Anonymity on the Internet

    NOTE: Bring a copy of the SANS IPv4 TCP/IP and tcpdump Pocket Guide to class from this point on. For your online convenience, feel free to use my online Packet Pal Primer . For additional detail, I recommend Charles Kozierok, TCP/IP Guide, NoStarch Press, San Francisco (2014). An introduction may be found in A Protocol Layer Survey of Network Security, Advances in Computers 64, pp. 109-158 (2005).

    Week of February 16 : TCP/IP Protocols: IPv4

    Week of February 23 and March 2: TCP/IP Protocols: TCP and UDP

    March 9: Exam I (note: exam due to cancellation of class on Feb. 11 due to failure of projection system.)

    Exam 1 -Exam is "closed everything": e.g., "closed book," "closed notes," PDAs and computers turned off, cell phones off, etc. A copy of the SANS TCP/IP Guide will be attached to your exam for reference purposes. The detection of any notes or mobile devices in use will result in an exam grade of F. Questions will come from 2 sources: lectures amd assigned readings. Be sure to confirm that you use the current version of the study guide: _______. f.y.i., the second exam is tentatively scheduled for Wed, April 29, 2026 and the optional final is scheduled for Monday May 11, from 10:10-12:10.