Basics of Computer Forensics and Internet Forensics. How to protect your privacy on the internet: E-mail, obfuscation, web sites and servers. Encryption, data hiding, and hostile code.
Investigating Windows and Unix. Technical and legal issues regarding digital evidence collection and forensics analysis. Prerequisites: CS202 and junior standing. 3 credits.
Recommended References: (although not required, these are standard references for computer and Internet forensics).
- Brian Carrier, File System Forensic Analysis, Addison-Wesley, Reading
- Charles Kozierok, TCP/IP Guide, NoStarch Press, San Francisco (2014)
- Sherri Davidoff and Jonathan Ham, Network Forensics: Tracking Hackers through Cyberspace, Prentice-Hall (2012)
- Laura Chappell, Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide, Laura Chappell University (2010)
- Laura Chappell, Wireshark Network Analysis, 2nd ed., Chappell University (2012) [she has several good books on Wireshark, but this is the best IMHO]
- Charles and Shari Pfleeger, Security in Computing, Prentice Hall (2007)
- Gordon Fyodor Lyon, NMAP Network Scanning, Nmap Project (2009) (partially online @ nmap.org)
- John Vacca (ed.): Computer and Information Secutiy Handbook, Elsevier (2013) [a useful, encyclopedic approach]
- Dave Roberts, Internet Protocols Handbook, Coriolis Group (1996) [an oldie and a goodie - still a useful introduction to TCP/IP. If you can find this in a used bookstore for a few bucks, grab it - it's still a handy (if outdated) reference]
- Ferrara, et al, CyberLaw: Text & Cases, SouthWestern Cengage Learning, 3rd ed, 2012.
- Abraham Wagner and Nicholas Rostow, Cybersecurity and Cyberlaw, Carolina Academic Press, 2020.
ABET Course Outcomes
By the end of the term, you will:
Part I: Network Forensics
- Understand Core TCP/IP Protocols
- Understand the operation of packet-based switching networks
- Understand common network topologies
- Understand the fundamentals of packet analysis in threat detection
- Understand anomalous packet traffic and the role of RFCs in defining Internet Protocols
- Understand the OSI and TCP/IP network models and their inter-relationship
- Understand how ARP and DNS function
- Understand the role of data fields and flags within TCP/IP packets
- Understand the TCP 3-way handshake
- Understand the use of Packet Analysis and Packet Crafting in
Digital Forensics
- Understand the basic tools for Packet Analysis at the network and transport layer
- Understand the basic tools for Packet Crafting at the network and transport layer
- Understand the basic tools for Packet Analysis at the link (aka network access) layer
- Understand how to analyze common packet headers
- Understand the concept of protocol encapsulation
- Understand Common Threat Vectors
- Understand common hacking strategies
- Understand common categories of malware
- viruses, worms and trojan horses
- Understand metamorphic and polymorphic exploits
- Understand zero-day exploits
- Understand hydra-headed exploits (e.g., Stuxnet, Flame)
- Understand the role of RFCs in out-of-band packet crafting
- Understand covert channeling
- Understand common denial-of-service exploits (DOS, DDOS, Ping-of-Death, etc.)
- Understand Buffer Overflows
- Understand Common Mitigation Strategies
- Understand Defensive Strategies
- Why Security-through-Obscurity doesn't work
- Defense-in-Depth
- Time-Based Security
- Monitoring and Auditing
- Understand Stimulus-Response Theory
- Understand Firewall Rulebase Construction
- Understand Intrusion Detection Systems
- Undersand Intrusion Prevention Systems
- Understand Anti-Forensics Strategies
- Metasploit Project
- anonymizing
- onion routing and TOR
- remailing
- Understand Encryption
Part II: Computer Forensics
- Understand Computer Forensics
- Basic Understanding of a Forensic Workstation
- Basic Understanding of Computer Forensics Software
- Encase
- XWay Forensics
- FTK
- Sleuth Kit
- Understand the Principle of Evidence Collection and Evidence Handling (esp. Chain-of-Custody and Evidence Integrity) in Forensics Investigations
- Understand the difference between analysis of live and dead systems
- Understand the relationships between OS and disk structures
- Windows-DOS, FAT, FAT32, NTFS, VFAT
- MAC - HFS
- Linux - EXT2/3
- Understand the basics of media analysis vis-a-vis disk structure
- Understand the concept of and opportunities for data hiding
- Understand the challenges of live system imaging
- Understand BRAP forensics
- Understand the use of Digital Forensics in:
- digital crime (cybercrime)
- digital, transnational money laundering
- Understand basic firewall theory
- Understand network reconnaissance
- network hacks
- Understand basic data hiding techniques on computers and networks
- phishing
ABET Core Competencies
- An understanding the implications, remediation, and avoidance strategies of digital security breaches
- Situational awareness of the use of forensics by law enforcement, intelligence agencies, military, terrorists, criminals, and state sponsors.
- The ability to distringuish between types of digital forensics, and understand capabilities of each..
- You will develop a working knowledge of computer and network forensics and their tools
- You will be able to work within a digital security environment
- You will understand some of the digital/electronic/computing/networking technologies behind digital forensics
Syllabus (tentative - subject to change)
note: The UNLV IEEE Xplore digital library institional license (ieeexplore.ieee.org from any UNLV IP address) and UNLV ACM digital library institutional subscription (dl.acm.org from any UNLV IP address) may be used to access IEEE and ACM assigned readings. In both cases use the title as the search term.
Whenever possible, I will provide alternative convenient links consistent with copyright, but I cannot guarantee the persistence of the links.
note 3: Refer to the Instructor's Study Guide to selected assigned readings in preparation for exams.
Weeks of January 16 and 22: Basic Digital Media Forensics
Week of January 29: Covert Data Hiding on Digital Media and
- Lecture Notes
- Assigned Readings
- Watermarking Cyberspace, Communications of the ACM, 40:11, 1997; DOI: 10.1145/265684.265687
- Disk Wiping By Any Other Name, Communications of the ACM, 49:8, 2006; DOI: 10.1145/1145287.1145303
- Identity Theft and Financial Fraud, IEEE Computer, 45:2, 2012. DOI: 10.1109/MC.2012.16
- Optional Readings
- Does Elon Musk use line-spaced digital watermarking?, The Intercept, 12/05/22
week of February 5: Legal Issues in Computing
NOTE: Brimg a copy of the SANS IPv4 TCP/IP and tcpdump Pocket Guide to class from this point on. For your online convenience,
feel free to use my online The Packet Pal Primer .
Week of February 12: the IPv4 Protocol: Lecture Notes
February 19 - no class. President's Day.
February 21 - Exam 1 -Exam is "closed everything": e.g., "closed book," "closed notes,"
PDAs and computers turned off, cell phones off, etc. The detection of any mobile device in use will result
in an exam grade of F. Questions will come from 3 sources: lectures, assigned readings, and homework.
Be sure to confirm that you have the latest revision of the study guide: 011923 or later.
Week of February 26: the TCP and UDP Protocols: Lecture Notes
Week of March 4: the ICMP Protocol Lecture Notes and DNS and ARP Protocols: Lecture Notes
Week of March 11: Spring Break: No Classes
Week of March 18: the HTTP Protocol
March 25: special class: optional make-up exam - This exam will only be administered by request of student. Register with TA by noon, March 18, 2024. If you register by this time/date, an exam with your name on it will be available; else, you will not be able to sit the make-up exam.
March 27 .: In Class Packet Analysis with Wireshark & TCPdump
- Practice Homework: Complete this worksheet on packet dissection for review:
- Packet Analysis:
- Wireshark: homework and datafile. Load datafile into Wireshark and answer
the questions. We will go over this in class.
- TCPdump: Review the online TCPdump notes and TCPdump handout
and compare with your Wireshark homework answers.
April 1: A Paradigm Cyber-Kinetic Attack Vector: Operation Olympic Games (Stuxnet)
April 3 - 8: Stimulus-Response Theory Lecture Notes
April 10: S-R Theory (concl) & Part 1 of Basic Firewall Design Lecture Notes
April 15: TCPdump Demonstration
April 17 - Exam 2 -Exam is "closed everything": e.g., "closed book," "closed notes,"
PDAs and computers turned off, cell phones off, etc. The detection of any mobile device in use will result
in an exam grade of F. Questions will come from 3 sources: lectures, assigned readings, and homework assigned since February 12.
Be sure to confirm that you have the latest revision of the study guide: 011923 or later.
Week of April 22: Part 2 of Basic Firewall Design (Cisco firewalls):
Lecture Notes; Basic Network Security: Lecture Notes
April 29: WiFi Attack Vectors lecture Notes
May 1: Mobile Forensics Lecture Notes and Moral Hazards in the Cyber Vulnerability Markets Lecture Notes
FINAL EXAM: Monday, May 6, 2024, 10:10am - 12:10pm, TBE B-172
(All Exams will be "closed everything": e.g., "closed book," "closed notes," PDAs and computers turned off, cell phones off, etc.
Final Exam is cumulative and will cover all assigned course materials during the semester (except materials marked "supplementary").