MSc: Cybercrime Forensics
Cybercrime and Forensics
- Course name: Cybercrime and Forensics
- Course number: SNE-???
Course characteristics
Key concepts of the class
- Law, regulations and modern tendencies of the high-tech crimes
- Computer forensics approaches and techniques
- Incident response and threat hunting methods
What is the purpose of this course?
Modern tactics and techniques of high-tech crimes, including counter -forensics methods, are evolving rapidly according to the past several years. Therefore, the purpose of this course is to provide for students the necessary knowledge and abilities to obtain and analyze digital evidence in a way to provide investigations that will comply with the current law and regulations. Another purpose for the course is to learn for students how to counteract with ongoing computer incidents, intrusions and to perform threat hunting in the computer systems
Prerequisites
The course has been designed to be self-included as much as possible. The successful completion will depend on prerequisite courses such as:
- CSE520 — Security of systems and networks
- Essential skills
- Classical Internet Applications
Course Objectives Based on Bloom’s Taxonomy
What should a student remember at the end of the course?
By the end of the course, the students should be able to identify and define
- Methods for investigating and responding to cybersecurity incidents
- Main types of computer attacks and the technical and non-technical techniques used by attackers;
- Compliance requirements to produce valid computer-technical expertise for further legal procedures;
- Aquisition techniques depending on the affected digital media and environment conditions
- Computer systems’ artifacts that were affected during the incident
- Specific hardware and software forensic tools depending on the type of incident;
- Decryption and decoding methods for protected and hidden data, methods of counter-forensics technology.
What should a student be able to understand at the end of the course?
By the end of the course, the students should be able to describe and explain
- Difference between different types of computer incidents
- The difference in compliance requirements for specific cybercrime cases
- Computer attacker model and kill chain tactics
- Filesystems analysis methods
- Volatile memory analysis methods
- Network analysis methods
- Malware analysis methods
What should a student be able to apply at the end of the course?
By the end of the course, the students should be able to demonstrate
- Organizing an incident response to a cybersecurity incident and minimize potential damage
- Determination of the type and causes of the incident
- Determination of the computer systems’ artifacts that are required for the acquisition
- Collection of digital evidence and proper documentation of it
- Recovered deleted and hidden information
- Restored an incident chronology during the investigation, determination of the methods used by the attacker and the impact on the attacked system
- Conduction of investigation on various types of computer attacks
- Conduction malware analysis
- Correct and efficient usage of open source forensics software and hardware
Course evaluation
| Type | Default points | Proposed points |
|---|---|---|
| Labs/seminar classes | 20 | 20 |
| Project | 30 | 60 |
| Exam | 50 | 20 |
If necessary, please indicate freely your course’s features in terms of students’ performance assessment: None
Grades range
| Grade | Default range | Proposed range |
|---|---|---|
| A. Excellent | 90-100 | 90-100 |
| B. Good | 75-89 | 70-89 |
| C. Satisfactory | 60-74 | 60-69 |
| D. Poor | 0-59 | 0-59 |
If necessary, please indicate freely your course’s grading features:
The laboratory assignments are mandatory with a required minimum result of 6/10 for each - including re-takes and late submissions - to complete the course. The semester starts with the default range as proposed in the Table above, but it may changes slightly depending on how the semester progresses.
Resources and reference material
- “Practical forensic imaging. Securing digital evidence with Linux tools”. Bruce Nikkel
- “Incident response and computer forensics”. K.Mandia, C.Prosise, and M.Pepe
- “Digital Evidence and Computer Crime”. Eoghan Casey
Course Sections
| Section | Section Title | Teaching Hours |
|---|---|---|
| 1 | Modern high-tech crimes and the law | 4 |
| 2 | Data acquisition and securing digital evidence | 4 |
| 3 | Computer systems’ artifacts and their analysis methods | 6 |
| 4 | Volatile data analysis methods | 6 |
| 5 | Incident response and threat hunting | 4 |
| 6 | Labs | 56 |
Section 1
Section title: Modern high-tech crimes and the law
Topics covered in this section:
- Law, regulations and modern tendencies of the high-tech crimes
- Computer forensics approaches and techniques
- Incident response and threat hunting methods
What forms of the evaluation were used to test students’ performance in this section?
| Form | Yes/No |
|---|---|
| Development of individual parts of software product code | 0 |
| Homework and group projects | 1 |
| Midterm evaluation | 0 |
| Testing (written or computer based) | 1 |
| Reports | 1 |
| Essays | 0 |
| Oral polls | 0 |
| Discussions | 1 |
Typical questions for ongoing performance evaluation within this section
- What are the typical attacks which can be used against the banking system?
- What is the attacker model?
- What is the computer incident?
- What types of incidents can lead to criminal code articles for an attacker?
Typical questions for seminar classes (labs) within this section
- Identify risks and develop mitigation techniques before acquiring evidence for a given case
- Develop an attacker model for a specific incident
- Identify the most important compliance requirements for preservation evidence in the court case?
Test questions for final assessment in this section
- As above
Section 2
Section title: Data acquisition and securing digital evidence
Topics covered in this section:
- Compliance requirements for the evidence acquisition
- Non-volatile data evidence collection
- Volatile data evidence collection
- Securing digital evidence with open source tools
What forms of the evaluation were used to test students’ performance in this section?
| Form | Yes/No |
|---|---|
| Development of individual parts of software product code | 0 |
| Homework and group projects | 1 |
| Midterm evaluation | 0 |
| Testing (written or computer based) | 1 |
| Reports | 1 |
| Essays | 0 |
| Oral polls | 0 |
| Discussions | 1 |
Typical questions for ongoing performance evaluation within this section
- What are the pros and cons of using software or hardware tools for acquisition?
- What are the important steps to perform data evidence acquisition on the live system?
- What is the difference between non-volatile and volatile data from the perspective of computer forensics?
- What are the legal aspects of preparing before conducting computer forensic analysis based on the positions and responsibilities of forensic investigators?
- What kind of computer systems’ components would be less important during a live acquisition?
Typical questions for seminar classes (labs) within this section
- Depending on the incident define software and hardware that can be used to collect and preserve digital evidence
- Collect the evidence on a virtual environment
- Collect the evidence from the live system
- Collect the evidence of the volatile data
- Provide integrity, confidentiality, and non-repudiation for acquired evidence
Test questions for final assessment in this section
As above
Section 3
Section title:
Topics covered in this section: Computer systems’ artifacts and their analysis methods
- Anti-forensics methods and recovery information
- Windows forensics
- Filesystem forensics
What forms of the evaluation were used to test students’ performance in this section?
| Form | Yes/No |
|---|---|
| Development of individual parts of software product code | 0 |
| Homework and group projects | 1 |
| Midterm evaluation | 0 |
| Testing (written or computer based) | 1 |
| Reports | 1 |
| Essays | 0 |
| Oral polls | 0 |
| Discussions | 1 |
Typical questions for ongoing performance evaluation within this section
- What kind of methods do you know for an attacker to hide and delete information?
- What are the important artifacts that can be used for the analysis of the Windows systems?
- What is the difference between DEFT and CAIN software forensics distributions?
- What is MAC time?
- What is the conceptual difference between FAT and NTFS?
Typical questions for seminar classes (labs) within this section
- Analyze the incident that involves the USB stick of the attacker
- Create a timeline based on the timestamps of the artifacts
- Find and recover hidden information on the hard drive
- Extract and analyze filesystem journals
- Find encrypted information
- Identify the slack spaces that contain deleted data
Test questions for final assessment in this section
As above
Section 4
Section title: Volatile data analysis methods
Topics covered in this section:
- Operating memory forensics
- Network forensics
What forms of the evaluation were used to test students’ performance in this section?
| Form | Yes/No |
|---|---|
| Development of individual parts of software product code | 0 |
| Homework and group projects | 1 |
| Midterm evaluation | 0 |
| Testing (written or computer based) | 1 |
| Reports | 1 |
| Essays | 0 |
| Oral polls | 0 |
| Discussions | 1 |
Typical questions for ongoing performance evaluation within this section
- What is fileless malware?
- How can rootkits affect the evidence?
- What kind of operating memory artifacts can be useful for cybercrime investigation?
- What is difficult about dumping a memory?
- What is difficult about dumping network traffic?
Typical questions for seminar classes (labs) within this section
- Identify direct kernel object manipulation in the given sample
- Find unlinking from the active process list
- Trace and detect used cryptographical keys on the incident
- Determine the original source of an attacker’s compromise on the given network traffic
- Establish and present a timeline of the attacker’s activities for a specific case
Test questions for final assessment in this section
As above
Section 5
Section title: Incident response and threat hunting
Topics covered in this section:
- Introduction to incident response
- Sandboxing
- Malware analysis
- SOC analysis tasks
- Monitoring, logging and auditing of security events
What forms of the evaluation were used to test students’ performance in this section?
| Form | Yes/No |
|---|---|
| Development of individual parts of software product code | 0 |
| Homework and group projects | 1 |
| Midterm evaluation | 0 |
| Testing (written or computer based) | 1 |
| Reports | 1 |
| Essays | 0 |
| Oral polls | 0 |
| Discussions | 1 |
Typical questions for ongoing performance evaluation within this section
- What limitations might you have during the incident response?
- What type of incident responses can be provided during the incident
- What is the difference between incident response and computer forensics in general
- What is sandboxing and how it could be used in the incident response?
- What type of threats can occur for investigators during investigation?
Typical questions for seminar classes (labs) within this section
- Identify the methods that can detect anomaly behavior for a typical Windows system processes
- Identify persistence mechanisms that are used by the given malicious process
- Identify illegitimate network activity on the given network traffic
- Develop an effective sandboxing environment for malware detection and examination of its behavior
- Develop indicators of compromise to detect threats on multiple systems
Test questions for final assessment in this section
As above