Computer Forensic Learning Guide

System Intrusion and Computer Forensic Module Code: CSM203
2009 by Informatics Education Ltd A Member of Informatics Group Informatics Campus 12 Science Centre Road Singapore 609080
CSM 203 System Intrusion and Computer Forensic
Learning Guide (Draft)
First Printing October 2009
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted by any form or means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the publisher. Every precaution has been taken by the publisher and author(s) in the preparation of this book. The publisher offers no warranties or representations, and does not accept any liabilities with respect to the use of any information or examples contained herein. All brand names and company names mentioned in this book are protected by their respective trademarks and are hereby acknowledged. The developer is wholly responsible for the contents, errors and omission.
Published by Informatics Education Ltd
ii | P a g e
Table of Contents
YOUR LECTURER ............................................................................................................... 5 UNIT SPECIFICATIONS....................................................................................................... 5 LESSON PLAN ................................................................................................................... 6 ASSESSMENT METHODS ................................................................................................. 12
ASSIGNMENT (COURSEWORK)......................................................................................................................... 12 TESTS................................................................................................................................................................ 13 EXAMINATIONS................................................................................................................................................ 13
MODULE OBJECTIVES ..................................................................................................... 15 UNIT 1: INFORMATION SECURITY FUNDAMENTALS ....................................................... 16

INTRODUCTION..................................................................................................................................................... 16 TOPICS TO BE COVERED.......................................................................................................................................... 16 DISCUSSION QUESTIONS ........................................................................................................................................ 16
UNIT 2: ADDRESSING THREATS...................................................................................... 17

UNIT 3: BACKDOORS, VIRUS AND WORMS .................................................................... 18

UNIT 4: THE HACKING CYCLE ......................................................................................... 20

UNIT 5: COMPUTER FORENSIC FUNDAMENTALS............................................................ 22

UNIT 6: TRADEMARKS, COPYRIGHT AND PATENTS ........................................................ 23

UNIT 7: NETWORK FORENSIC FUNDAMENTALS ............................................................. 24

iii | P a g e
UNIT 8: INCIDENTS RESPONSE AND FORENSICS ............................................................. 26

UNIT 9: DIGITAL EVIDENCE............................................................................................ 27

UNIT 10: STEGANOGRAPHY........................................................................................... 28

UNIT 11: ANALYSING LOGS............................................................................................ 30

UNIT 12: EMAIL CRIME AND COMPUTER FORENSICS ..................................................... 31

Your Lecturer
Instructor Name and Contact Information: Name : Email Address : Home Phone Number : Office Telephone Number :
Unit Specifications
Unit Name Unit Type Unit Description
CSM203: System Intrusion and Computer Forensic

Year 2 Core Pre-Requisite None This module introduces to students the foundation of system intrusion and computer forensic investigation, looking into the processes and tools used by hackers and computer forensic and investigation professionals. At the completion of this module a student should be able to: Understand the essentials of system intrusion and computer forensic investigation Comprehend the processes and tools used by professionals as well as penetration tester.
Learning Outcomes
Teaching Methods Main Text
Additional Reading
Weekly lessons of 3 hours, over 12 weeks, inclusive of lectures, discussions and case reviews. 1. Guide To Computer Forensics And Investigations, Amelia Phillips, Frank Enfinger, Chris Steuart, ISBN: 0619217065 2. Hacking Exposed, Mcclure, Stuart; Scambray, Joel; Kurtz, George, OSBORNE/MCGRAW, February 2009, ISBN: 0071613749/9780071613743 1. Virtual Honeypots: From Botnet Tracking to Intrusion Detection by Niels Provos; Thorsten Holz, Publisher: Addison Wesley Professional Pub Date: July 16, 2007, Print ISBN-10: 0-32133632-1, Print ISBN-13: 978-0-321-33632-3 2. www.foundstone.com www.sysinternals.com www.ntsecurity.nu www.sarc.com www.ipos.gov.sg www.wipo.int
Useful Links
5|Page
Assessment
1. 100% coursework based 2. Exam Rubric may change from time to time and module to module. Double check with school.
6|Page
Lesson Plan
S/N 1. TOPICS Information Security Fundamentals DESCRIPTION Information Security Overview Why Security? The Information Security Principles Ethical Hacking Trends in Security Essential Terminology Statistics Related to Security Information Security Laws & Regulations 2. Addressing Threats 3. Backdoors, Virus and Worms What is a Threat? Vulnerability Exposures Attacks Malicious Code Attack Description What is a Trojan? Working of Trojans Overt and Covert channels Difference Between Virus and Worm Virus History When is a virus not a virus? Life Cycle of Virus Access Methods of a Virus Indications of a Virus attack. Underground Writers Malware Protection Anti-Virus Software Popular Anti-Virus Packages Reference to C2071 Reference to C2071 CHAPTER IN TEXT Reference to C2071 ACTIVITY
7|Page
4.
The Hacking Cycle
What does a Malicious Hacker do? The Ethical Hackers Process Pre-Attack Phrases
Reference to C2071
5.
Computer Forensics Fundamentals
Definition of Computer Forensics History of Forensics Need for Computer Forensics Cyber Crime Examples of Cyber Crime Cyber Crime Investigation Process Challenges in Cyber Crime Investigations Cyber Law Approaches to the Formulation of Cyber Laws Some Areas Addressed by Cyber Law Important Federal Statues
Reference to C2070
6.
Trademarks, Copyright and Patents
Trademarks Trademark Eligibility and Benefits of Registering it Trademark Infringement Copyright Notice Investigating Copyright and Copyright
Reference to C2070
Status of a Particule Work
8|Page
How long does a copyright last? Doctrine of Fair Use Patents Plagiarism Turnitin Plagiarism Detection Tools
7.
Network Forensic Fundamentals
Challenges in Network Forensics Internet Threats External Threats Automated Computer Attack Sources of Evidence on a Network What is a router? Functions of a router A router in an OSI Type of router attack Packet Mistreating Attacks Routing Table Poisoning Router Forensics vs Computer Forensics Incident Reponse Investigating Routers Accessing the Router Router Investigation Procedures
Reference to C2070
9|Page
8.
Incidents Response and Forensics
What is an incident? How to identify an Incident? Procedure for Handling Incidents CSIRT Overview First Responder Procedure
Reference to C2070
Digital Evidence
Introduction to Digital Evidence Digital Evidence Investigation Process Securing Digital Evidence Documenting Evidence Processing and Handling Digital Evidence in a Forensics Lab Obtaining Digital Hash and Analyzing it Storing Digital Evidence Evidence Retention and Media Storage Requirements
Reference to C2070
10.
Steganography
Definition of Steganography Steganography vs. Cryptography Images Steganography Overview Strides in Steganography Steganography Steps in hiding information Applications of Steganography Digital Watermark Hiding information in Text
Reference to C2070
10 | P a g e
Files Hiding information in Network packets Steganography tools
11.
Analysing Logs
The Importance of Network Log Files Characteristics of Log Files Event Log Purposes of Log Files Log Analysis Basics Timestamps Network Management Products Protocol Analyzer
Reference to C2070
12.
Email Crime and Computer Forensics
Importance of E-Mail as Evidence Working with E-Mail Working with Webmail Working with Mail Servers Examining E-Mails for Evidence Working with Instant Messaging
Reference to C2070
Assignment Due
11 | P a g e
Assessment Methods
The assessment framework will in the form of continuous assessment and may be presented in one of the following format:
1. 2 Tests plus 1 Coursework (Test 1: 30%, Test 2: 30%, Coursework: 40%) OR 2. 3 Tests (Test 1: 30%, Test 2: 30%, Test 3: 40%) OR 3. Coursework 100%
The assessment framework will vary from module to module and subject to changes from term to term. Refer to latest module specifications for recommended exam rubric.
ASSIGNMENT (COURSEWORK)
INSTRUCTIONS: 1. The assessment criteria are: (a) Substance (b) Originality of work (c) Presentation (d) Use of illustrations / examples, where appropriate 2. Independent research on the relevant topics is encouraged. 3. Special consideration would be given to students who demonstrate an in-depth analysis of the questions. 4. Candidates who simply regurgitate their answers from the course manual may risk failing the assignment. 5. Any similarities between individual assignments will result in a fail grade. 6. The assignment should be about 2,000 words (total). 7. Pages should be clearly numbered.
12 | P a g e
8. The format of the assignment should be as follows: (a) Front cover (i.e. title page), stating the: Module name and code Students full name and I/C number Class code Name of lecturer Submission date (b) Contents page (c) Main body of the assignment (d) References Example: Kotler, P. 1997 Marketing Management Analysis Planning, Implementation, and Control 9th edn. Prentice Hall International. 9. Retain a photocopy of your course assignment. 10. Complete your assignment and hand it in by: ________12th Week____________ 11. Late Assignment Policy: Assignments must be turned in on time for full consideration of a grade. 12. Academic Honesty and Professional Conduct: At Informatics academic honesty and integrity is expected. If a student uses the ideas or words of another without crediting the source, such as literary theft, this is considered plagiarism. Documented plagiarism will result in a minimum penalty of failure in the assignment, but can result in failure in the course and/or withdrawl from the program. Students are encouraged to make use of approved referencing system like Harvard Referencing system. 13. Feedback on Assignments: Your lecturer will provide you feedback on your assignments and grades.
TESTS
Tests are conducted during the duration of the module to provide an opportunity for the student to demonstrate an understanding of the subject and materials taught. Tests are typically held at the mid-term or end of term. The test could be conducted on-line or would be paper-based. Depending on the subject matter, the length of tests could vary range from 1 hour to 3 hours. Tests could be conducted in class or in a formal exam setting.
13 | P a g e
EXAMINATIONS
Examinations are conducted at the end of each term in an exam hall setting. The duration of examinations is normally 3 hours.
Check the exam timetable with the School. The exam rubric may change from time-to-time and from module and module. Double check final rubric with your School.
14 | P a g e
Module Objectives
At the completion of this module a student should be able to: Understand the essentials of system intrusion and computer forensic investigation Comprehend the processes and tools used by professionals as well as penetration tester.
15 | P a g e
Unit 1:
Introduction
Information Security Fundamentals
This opening lesson 1 establishes the foundation for understanding the broader field of information security. This is accomplished by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of information security.
Topics to be Covered
Information Security Overview Why Security? The Information Security Principles Ethical Hacking Trends in Security Essential Terminology Statistics Related to Security Information Security Laws & Regulations
Discussion Questions
1. Search several government Web sites for IT-related job openings. What kinds of jobs can you find? What is the starting salary of each? What are the educational requirements? Create a list of your findings to share with the class.
2. Using a library with current periodicals, find a recent news article about a topic related to information security. Write a one- to two-page review of the article and how it is related to the principles of information security introduced in this lesson.
16 | P a g e
Unit 2:
Introduction
Addressing Threats
Lesson 2 examines current needs for security in organizations and technology. This lesson also examines the various threats facing organizations. The lesson continues with a detailed examination of the types of attacks that could occur from these threats, and how they could impact the organizations information and systems.
What is a Threat? Vulnerability Exposures Attacks Malicious Code Attack Description
1. What is the difference between a threat and an attack? 2. How do exploits relate to vulnerabilities? 3. Is there an ethically acceptable reason to study and use the various attack methods described in this module?
17 | P a g e
Unit 3:
Introduction
Backdoors, Virus and Worms
This lesson 3 establishes the foundation for understanding the broader field of Malware in Backdoors, Virus and Worms. This is accomplished by defining key terms, explaining essential concepts, and reviewing the origins of the field and its impact on the understanding of Malware in Computer Security.
What is a Trojan? Working of Trojans Overt and Covert channels Difference Between Virus and Worm Virus History When is a virus not a virus? Life Cycle of Virus Access Methods of a Virus Indications of a Virus attack. Underground Writers Malware Protection Anti-Virus Software Popular Anti-Virus Packages
1. Perhaps you have seen the TV commercial in which a bored office worker unthinkingly opens an e-mail message, which launches a virus on her computer. The virus immediately spreads to her coworkers' computers and chaos breaks out in the office. The commercial may be overly dramatic (or comic, depending on you point of view), but it raises an important question: should a worker be held responsible for bringing a virus into an organization's network, even by accident? If so, what penalties would be reasonable? How can organizations prevent such incidents?
18 | P a g e
2. Is it better to have your Internet Service Provider (ISP) filter your e-mail, buy e-mail virus scanner software for your PC, or just manually delete spam and e-mail that contains bad attachments?
19 | P a g e
Unit 4:
Introduction
The Hacking Cycle
This lesson 4 establishes the foundation for understanding the Ethical Hacker role in the field of information security. This is accomplished by defining the ethical hacker process to include the pre-attack phases.
What does a Malicious Hacker do? The Ethical Hackers Process Pre-Attack Phrases
1. What is the key difference between between information gathering techniques and enumeration? 2. Find out and report on the following enumeration techniques: 1. FTP Enumeration, TCP 21 2. Enumerating SMTP, TCP 25 3. DNS Zone Transfers, TCP 53 4. Enumerating TFTP, TCP/UDP 69 5. Finger, TCP/UDP 79 6. Enumerating HTTP, TCP 80 7. Enumerating Microsoft RPC Endpoint Mapper (MSRPC), TCP 135 8. NetBios Name Service Enumeration, UDP 137 9. NetBios Session Enumeration, TCP 139 10. SNMP Enumeration, UDP 161 11. BGP Enumeration, TCP 179
20 | P a g e
12. Windows Active Directory LDAP Enumeration, TCP/UDP 389 and 3268 13. Novell NetWare Enumeration, TCP 524 and IPX 14. UNIX RPC Enumeration,TCP/UDP 111 and 32771 15. SQL Resolution Service Enumeration, UDP 1434 16. NFS Enmeration, TCP/UDP 2049
21 | P a g e
Unit 5:
Introduction
Computer Forensic Fundamentals
Todays computer forensics is clearly a new pattern confidence, acceptance, and analysis that involves the preservation, identification, extraction, and documentation of computer evidence stored as data or magnetically encoded information. Computer forensic is about evidence from computers that is sufficiently reliable to stand up in court and be convincing. The fascinating part of science is that computer evidence is often transparently created by the computers operating system without the knowledge of the computer operator. The information may actually be hidden from view. To find it, special forensic software tools and techniques are required.
Definition of Computer Forensics History of Forensics Need for Computer Forensics Cyber Crime Examples of Cyber Crime Cyber Crime Investigation Process Challenges in Cyber Crime Investigations Cyber Law Approaches to the Formulation of Cyber Laws Some Areas Addressed by Cyber Law Important Federal Statues
1. Read and understand the issues reflected in the Napster Case Study. Discuss.
22 | P a g e
Unit 6:
Introduction
Trademarks, Copyright and Patents
Any sign or any combination of signs, capable of distinguishing the goods or services of one undertaking from those of other undertakings, shall be capable of constituting a trade mark. Such signs, in particular words including personal names, letters, numerals, figurative elements and combinations of colors as well as any combination of such signs, shall be eligible for registration as trade marks. Where signs are not inherently capable of distinguishing the relevant goods or services, Members may make registrability depend on distinctiveness acquired through use. Members may require, as a condition of registration, that signs be visually perceptible.
Trademarks Trademark Eligibility and Benefits of Registering it Trademark Infringement Copyright and Copyright Notice Investigating Copyright Status of a Particule Work How long does a copyright last? Doctrine of Fair Use Patents Plagiarism Turnitin Plagiarism Detection Tools
1. Give four (4) reasons NOT to seek a patent for original software 2. List at least 4 ways to assign a copyright.
23 | P a g e
Unit 7:
Introduction
Network Forensic Fundamentals
Network forensic is the systematics tracking of incoming and outgoing traffic on your network. Network forensics poses greater challenges as evidence can be segregated across multiple system and network which may span across different country with different legal hindrance, evidence can be quickly destroyed as many system and network professional work on the affected system and network, in turn tampering with the evidence, there can be many different investigators from different country involved, making the chain of custody complicating and the crime can be perpetrated at greater speed as the system and network cannot be taken offline for forensic examination
Challenges in Network Forensics Internet Threats External Threats Automated Computer Attack Sources of Evidence on a Network What is a router? Functions of a router A router in an OSI Type of router attack Packet Mistreating Attacks Routing Table Poisoning Router Forensics vs Computer Forensics
24 | P a g e
Incident Reponse Investigating Routers Accessing the Router Router Investigation Procedures
1. If you discover during your investigation that another companys machines are being used as part of a DDOS attack, what should you do?
25 | P a g e
Unit 8:
Introduction
Incidents Response and Forensics
Every business has its own risk environment and any risk that materializes may interrupt desirable outcome of business processes. Any such interruption is called an incident. The following factors emphasize the importance of incident management: In recent years, there has been a steady trend of both increased occurrences and escalating losses resulting from information security incidents. These incidents have had a serious impact to businesses and organization. The increase of vulnerabilities in software or systems can affect large parts of an organizations infrastructure. Failure of technical security controls to prevent incidents. Legal and regulators groups requiring the development of an incident management capability. Greater awareness by organizations of risk management strategies.
What is an incident? How to identify an Incident? Procedure for Handling Incidents CSIRT Overview First Responder Procedure
1. Your spouse works at a private school and reports rumours of a teacher, Dr. Zero, molesting some students and taking illicit pictures of them. Dr Zero allegedly views these pictures in his offices. Your spouse wants you to take a disk image of Dr Zeros computer disk and find out if the rumours are true. Write a one- to two- pages detailing how you would tell your spouse to proceed. Also, explain why walking into Dr Zeros office to acquire a disk image would not preserve integrity of the evidence.
26 | P a g e
Unit 9:
Introduction
Digital Evidence
Digital evidence can be any information stored or transmitted in digital form. This is because you cannot see or touch digital data directly, it is difficult to explain and describe it. Is digital evidence real or virtual? Does data on a disk or other storage medium physically exist, or does it merely represent real information? U.S. courts accept digital evidence as physical evidence, which means that digital data is a tangible object, such as a weapon, paper document, or visible injury, that is related to a criminal or civil incident.
Introduction to Digital Evidence Digital Evidence Investigation Process Securing Digital Evidence Documenting Evidence Processing and Handling Digital Evidence in a Forensics Lab Obtaining Digital Hash and Analyzing it Storing Digital Evidence Evidence Retention and Media Storage Requirements
1. Describe how you received and secured evidence about the arson case from the insurance company. Create an evidence custody form showing that your firm received the image. What additional steps should you take to preserve the evidence? 2. You are hired to go through the office computing systems of an employee suspected of embezzling funds from the firm. What steps do you need to take? Write a one-page paper outlining the procedures you need to follow to make sure the evidence holds up in court.
27 | P a g e
Unit 10:
Introduction
Steganography
Steganography is the art of secret writing. With steganography, messages can be hidden in images, sound files, or even the whitespace of a document before it's sent. This type of secret communication has been around for centuries. Books were written on this subject in the fifteenth and sixteenth centuries. Steganography derived from a Greek word that means covered writing. One of the ways it was originally used was to tattoo messages onto someone's shaved head; after the hair had grown out, that individual was sent to the message recipient. While this is certainly a way to hide information in plain sight, it is a far cry from how steganography is used today.
Definition of Steganography Steganography vs. Cryptography Images Steganography Overview Strides in Steganography Steganography Steps in hiding information Applications of Steganography Digital Watermark Hiding information in Text Files Hiding information in Network packets Steganography tools
1. You work for a mid-size corporation known for its invention and that does a lot of copyright and patent work. You are investigating an employee suspected of selling and distributing animations that were created for your corporation. During your investigation of the suspects drive, you find some files with unfamiliar extension of .cde. The network
28 | P a g e
administrator mentions that other .cde files have been send through an FTP server to another site. List the steps for determining the contents of the .cde file.
29 | P a g e
Unit 11:
Introduction
Analysing Logs
Networks perform many important processes automatically and in the background, and it is the job of the network administrator to make sure that what is supposed to have been done has been done, without error and without problems. One of the most challenging, yet rewarding, aspects of perimeter security is network log file analysis. This process involves trying to identify intrusions and intrusion attempts through vigilant monitoring and analysis of various log files and then correlating events among those files. There are many different types of network log files to review, from network firewalls, routers, and packet filters to host-based firewalls and intrusion detection systems (IDSs).
The Importance of Network Log Files Characteristics of Log Files Event Log Purposes of Log Files Log Analysis Basics Timestamps Network Management Products Protocol Analyzer
1. A user on your network calls, to complain that her co-workers are receiving e-mail from her that she did not send. What type of attack is this? Who do you need to inform to prevent it from spreading? How do you analyse using the different type of log files?
30 | P a g e
Unit 12:
Introduction
Email Crime and Computer Forensics
E-mail has transcended social boundaries and moved from a convenient way to communicate to a corporate requirement. In many cases, incriminating unintentional documentation of peoples activities and attitudes can be found through computer forensics of e-mail. In Practice: E-Mail in Senate Investigations of Finance Companies Financial institutions helped Enron manipulate its numbers and mislead investors. E-mail proved that banks such as JPMorgan Chase knew very well how Enron was hiding its debt
Importance of E-Mail as Evidence Working with E-Mail Working with Webmail Working with Mail Servers Examining E-Mails for Evidence Working with Instant Messaging
1. A mother calls you to report that her 15-year old daughter has run away from home. The mother has access to her daughters e-mail and says that her daughter has a number of e-mail messages in her Inbox suggesting that she has run away to be with a 35-year woman. Write a brief report on how you should proceed.
31 | P a g e

Computer Forensic Learning Guide

Caricato da

Informazioni sul documento

Copyright

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Computer Forensic Learning Guide

Caricato da

Copyright:

System Intrusion and Computer Forensic Module Code: CSM203

CSM 203 System Intrusion and Computer Forensic

Learning Guide (Draft)

First Printing October 2009

Published by Informatics Education Ltd

MODULE OBJECTIVES ..................................................................................................... 15 UNIT 1: INFORMATION SECURITY FUNDAMENTALS ....................................................... 16

UNIT 2: ADDRESSING THREATS...................................................................................... 17

UNIT 3: BACKDOORS, VIRUS AND WORMS .................................................................... 18

UNIT 4: THE HACKING CYCLE ......................................................................................... 20

UNIT 5: COMPUTER FORENSIC FUNDAMENTALS............................................................ 22

UNIT 6: TRADEMARKS, COPYRIGHT AND PATENTS ........................................................ 23

UNIT 7: NETWORK FORENSIC FUNDAMENTALS ............................................................. 24

UNIT 8: INCIDENTS RESPONSE AND FORENSICS ............................................................. 26

UNIT 9: DIGITAL EVIDENCE............................................................................................ 27

UNIT 10: STEGANOGRAPHY........................................................................................... 28

UNIT 11: ANALYSING LOGS............................................................................................ 30

UNIT 12: EMAIL CRIME AND COMPUTER FORENSICS ..................................................... 31

CSM203: System Intrusion and Computer Forensic

Teaching Methods Main Text

The Hacking Cycle

Computer Forensics Fundamentals

Trademarks, Copyright and Patents

Status of a Particule Work

Network Forensic Fundamentals

Incidents Response and Forensics

Files Hiding information in Network packets Steganography tools

Email Crime and Computer Forensics

Information Security Fundamentals

Backdoors, Virus and Worms

The Hacking Cycle

Computer Forensic Fundamentals

Trademarks, Copyright and Patents

Network Forensic Fundamentals

Incidents Response and Forensics

Email Crime and Computer Forensics

Potrebbero piacerti anche