ITN 276 Syllabus

 Division:       Arts and Sciences                                                                                                   Date:  February 2014

 Curricula in Which Course is Taught:             Cybercrime Investigation certificate

 Course Number and Title:           ITN 276, Computer Forensics I

Credit Hours:   3-4              Hours/Wk Lecture:  3-4                 Hours/Wk Lab:                    Lec/Lab Comb:    3-4


       I.            Catalog Description: Teaches computer forensic investigation techniques for collecting computer-related evidence at the physical layer from a variety of digital media (hard drives, compact flash and PDAs) and performing analysis at the file system layer. Prerequisite: ITN 106, ITN 107. Co-requisite: ITN 260. Credit will be given to ITN 275 or ITN 276 and ITN 277, but not all three courses.


    II.        Relationship of the course to curricula objectives in which it is taught: This course helps students understand how to collect, analyze and evaluate evidence data from various sources using a variety of software.


 III.            Required background:  ENF 2 as a corequisite


  IV.        Course Content:

A.    Understanding Computer Forensics

a.    History of computer forensics

b.    Computer forensics as a career

c.    Professional certification and organizations

B.   Legal Issues in Computer Forensics

a.    Law enforcement investigations

b.    Corporate investigations

c.    Professional ethics and conduct

C.   Preparing for an Investigation

a.    Forensic resources

b.    Preparing a forensic toolkit

D.   Securing a System for Investigation

E.   Evidence Preparation

a.    Employing media wiping tools

b.    Employing checksums/hashing as validation

c.    Bit-by-bit copies

F.    Analyzing and Understanding File Systems

a.    Fat 12

b.    Fat 16

c.    Fat 32

d.    NTFS

G.   Data Acquisition at a Physical Layer

a.    Imaging a system using forensic tools

                                                  i.    Using write-blockers

                                                ii.    Using court accepted tools to duplicate drives

b.    Understanding drive geometry

c.    Understanding file systems and disk partitioning

d.    Hashing the drive

H.   Analyzing Data

a.    Recovering data at physical layer using court accepted forensic tools

b.    Examining DOS and Windows disk structures

c.    Understanding the boot sequence

d.    Examining NTFS and FAT file systems

e.    NTFS Data Streams

I.      Examining Other Media Structures

a.    Floppies

b.    CDs

c.    Thumb/flash drives

J.    Recovering Deleted and Encrypted Data from a File System

a.    Manually recovering a deleted file, directory and partition in the FAT file system

b.    Manually recovering data remnants from slack space in the FAT file system

c.    Manually recovering data remnants from unallocated space in the FAT file system

d.    Manually recovering file names from the directory entry table in the FAT file system

e.    Examining the NTFS file system

f.     Manually recovering deleted files in the NTFS file system

g.    NTFS Encrypted File Systems (EFS)

h.    EFS Recovery Agent

K.   Recovering Hidden Data at a Physical Layer

a.    Hidden partitions

b.    Bit-shifting

L.    Data Carving

a.    Slack space

b.    Free space

M.   Cataloging and Storing Digital Evidence

a.    Chain of Custody

b.    Evidence transport

c.    Evidence storage

d.    Evidence Locker Room


V.  Learner Outcomes

Upon completion of the course the students will be able to:

VI.  Evaluation


Assignments, quizzes, tests, labs


A.   Collect digital evidence on a variety of computer systems using accepted forensic processes.

B.   Understand and correctly use court accepted imaging and analysis tools.

C.   Understand the legal challenges to collecting and analyzing digital evidence.

    This course supports the following objectives:

DCC Educational Objectives:

Information Literacy
Cultural and Social Understanding
Critical Thinking