Incident Response & Investigation Methods

IS 391 OL1 SYLLABUS

Instructor Information
Name: Ron Shaffer
Email: rshaffer@stevenson.edu
Office: N/A
Course Information
Course Name: Incident Response & Investigation Methods
Course Number: IS391
Course section: OL2
Semester: 15S8W2 Spring - Accelerated (8-Week) online
Year: 2015

Course Materials
Course texts include:

Computer Forensics Investigation Procedures and Response, EC-Council Press,

Course Technology, 2010
ISBN: 1-4354-8349-9
978-1-4354-8349-1
Computer Forensics Jump Start , Solomon, Rudolph, Tittel, Broom and Barrett,
Wiley Publishing, 2011
0-470-93166-0
Note: Students must have a computer login and password, Blackboard login and password.
Reliable internet access is required.
Course Description

Examines the role of the computer forensics investigator as a member of an Incidence Response
Team and explores the nature of the threat to organizations, the indicators that an incident is
underway, the policies and procedures to be followed when an incident is detected, and the
investigation methods used to collect evidence for prevention or prosecution. The course will
Incident Response & Investigation Methods IS 1391 -

Page 1

explore the best practices used to create, organize and deploy an incident response team for
malicious activity. Student will receive three credits for successfully completing the course.

Course Learning Outcomes

Upon course completion, students will be able to:

Understand corporate forensic needs

Identifying Evidence
Describe computer evidence
Address evidence handling issues
Preserve Evidence
Analyze Evidence
Present Evidence
Understand computer forensics hardware
Define computer Forensics

Course Learning Strategies/Assessment

Learning outcomes will be achieved through the following strategies:

Power Point Presentations

Web based course materials
Structured discussion
Problem-Solving Scenarios
Individual projects
Quizzes, Tests
Project assignments

University Student Learning Goals

Self, Societies,
and the Natural
World:
Reasoning:

The SU graduate will demonstrate knowledge of self, others, diverse

societies, and the natural world, through the integration of the liberal
arts and professional studies.
The SU graduate will use critical and creative thinking to locate and
evaluate information, ask and answer questions, address issues, and
solve problems.

Incident Response & Investigation Methods IS 1391 -

Page 2

Communication The SU graduate will communicate effectively for diverse audiences,

:
situations, and purposes.
Ethics:
The SU graduate will exhibit personal and professional ethical
reasoning and behavior.
Wellness:
The SU graduate will seek opportunities to promote well-being of self
and others.
Career
The SU graduate will reflect on, plan, and pursue personal and
Readiness:
professional development.
Lifelong
The SU graduate will possess the foundations and skills for lifelong
Learning:
integrative learning and contribution.
Objectives of the Core Curriculum
Upon successful completion of the core curriculum, Stevenson University graduates will
1.
2.
3.
4.
5.

Demonstrate effective oral and written communication skills.

Demonstrate basic technological competence.
Demonstrate ability to obtain, evaluate, and use information to solve problems.
Demonstrate knowledge of basic wellness principles.
Demonstrate knowledge to a diversity of perspectives and values in the liberal arts and
sciences.
6. Identify key concepts, perspectives, methods, values underlying, and applications of
the fine arts, social sciences, humanities, mathematics, and the sciences.
7. Explore individual, cultural, global, and ethical considerations in human relations.
8. Demonstrate knowledge of the effects of individual, cultural, and global differences
on human relations.

Incident Response & Investigation Methods IS 1391 -

Page 3

Course Assignment Expectations

All assignments for each week are not only listed in the course syllabus but have a
corresponding learning unit under the Module button in this course. All work to be done for the
week as well as links for submitting assignments has been provided in these learning modules.

Late work and make up exam policy:

All assignments for each Module are due no later than 11:45 P.M. on Sunday of that week, as
listed in the course schedule/ Module assignment schedule portion of the syllabus. For example,
all Module 1 work must be submitted no later than 11:45 P.M. on Sunday, March 29, 2015
(03/29/15).
Students will not receive credit for assignments submitted late or missed exams without prior
approval of the instructor. Only in the most extreme circumstances may students petition the
instructor for exemption. The instructor will consider all petitions, deny those deemed other than
extreme, and grant those where evidence is clear. At the discretion of the instructor, the student
may be required to petition the Information Systems Program Coordinator from the School of
Graduate and Professional Studies (GPS) for exemption. The process requires an in-person
and/or telephone interview with the GPS Information Systems Program Coordinator and a
detailed formal letter of explanation which shall cite, among other items, the personal contact
information for verification of required references. Further details of the process and the
documentation required can be obtained from the instructor.

Incident Response & Investigation Methods IS 1391 -

Page 4

Course Grading Policy

The final course grade will be allocated according to the following formula:
Case Studies
Tutorial/Chapter Assignments
Projects
Exams
Papers
Discussion Board

20%
5%
25%
10%
15%
10%

Note: Improper, distracting, disrespectful or disruptive behavior in the online classroom or

anything less than professional and respectful email communication will result a severe grading
penalty beyond the breakdown noted above at the discretion of the instructor. Any violation of the
Academic Honesty Policy or the policies detailed in this syllabus may result in an F for the
assignment or an F for the course at the discretion of the instructor. The penalty for a violation
of the Academic Honesty Policy could be changed to dismissal from the University by higher
authorities.
Grading Ranges:
A
AB+
B
BC+
C
CD+
D
F

100.00
92
89
86
82
79
76
72
69
66
59

93
90
87
83
80
77
73
70
67
60
0

4.0
3.7
3.3
3.0
2.7
2.3
2.0
1.7
1.3
1.0
0.0

Example:
Course Grading Policy:
In compliance with the Stevenson University grading policy, a students performance in a course
will be measured in accordance with the following grading system:
A = 4.0
B = 3.0
C = 2.0

Excellent:
Good:
Satisfactory:

D = 1.0
F = 0.0

Unsatisfactory:
Failure:

Outstanding achievement and initiative.

Above average attainment
Average mastery of essentials meeting the minimum course
requirements. It is the lowest possible passing grade.
IS courses require a grade of C or higher - repeat required
No credit for the course

Incident Response & Investigation Methods IS 1391 -

Page 5

The grade of C- is the lowest acceptable grade for Information Systems courses (accelerated or
traditional). Required IS courses in the major must be repeated for a grade of C- or better in order
to graduate.
The grade of 'B' represents above average work meeting minimum course requirements. The
student receiving a grade of 'B' has consistently demonstrated a complete understanding of the
material and concepts presented throughout the course. Additionally, the student has completed
all course requirements on time, exhibited enthusiastic interest in topics and discussions and is
able to present and apply course concepts in a clear and organized manner, both verbally and on
written tests.
The grade of 'A' is awarded only to those students who fully meet this standard, who additionally
demonstrate exceptional comprehension and application of the course material, and demonstrate
initiative in course requirements.

Incident Response & Investigation Methods IS 1391 -

Page 6

Course Schedule

Module

Topic

Assignments

Blackboard Submission
Pre Assignment
Week

Preliminary Setup

Chapter 1:
The Need for Computer
Forensics

Introductions Discussion Board

Read Ch. 1: Computer Forensics Jump Start

Completion of Chapter 1 Review questions
(even questions only).
Complete Discussion Board Introduction
Complete 2 article abstracts.

1
Chapter 1:
Computer Forensics in
Todays World

Read Ch 1: Computer Forensics Investigation

Procedures and Response
Complete Module 1 Discussion question.

Chapter 2: PreparationWhat to do before you start

Read:
Computer
Forensics
Jump
Start ,Solomon, Barrett, and Broom
Completion of Chapter 2 Review
questions (Odd only)
Assemble an incident response team
to respond to a network security
breach
Create an action plan for handling the
network security breach

Chapter 2
Read: Computer Forensics Investigation
Procedures and Response

Incident Response & Investigation Methods IS 1391 -

Complete hands on projects)

Design a computer forensics lab

Establish a security policy for your

computer forensics lab
Page 7

Research the following areas of law

related to computer security:

The Fourth Amendment

Fifth Amendment
Wiretap Act (18 U.S.C. 2510-22)
Pen Registers and Trap and Trace Devices
Statute (18 U.S.C. 3121-27)
Stored Wired and Electronic Communication
Act (18 U.S.C. 2701-120)
Write a paper( min. of 3 pages)
Chapter 3: Computer
Evidence and Search
Authority

Computer Forensics
Investigation Procedures and
Response

Read: Computer Forensics Jump

Start ,Solomon, Barrett, and Broom
Complete the following case studies:
Case study #1( U.S. Supreme Court
Katz v. United States, 389 U.S. 347
(1967))
Case study #2( UNITED STATES v.
ZIEGLER Case Study #2)
Case Study #3(The Waco Affidavit

Read: Computer Forensics Investigation

Procedures and Response
Complete the following projects:
Project#1
Complete Software and Hardware Write
Blockers internet exercise located in
Solomon, Barrett, and Broom Computer
Forensics Jump Start, chapter 3, pg. 70.
Project #2
Software and Hardware Write Blocker tools
evaluation and questions
Project #3
Read the 4th Amendment of the
Constitution and complete questions on
illegal search and seizure

Chapter 4: Common Task

Computer Forensics Jump
Start
4

Read:
Complete Case Study #4
Complete Project #1

Chapter 4:
Read:
Computer Forensics
Investigation Procedures and
Response

Complete hands on projects: 1, 2, &

3(Listed on pg. 4-20 in Computer
Forensics Investigation Procedures and

Incident Response & Investigation Methods IS 1391 -

Page 8

Response textbook

Chapter 5: Capturing Data

Image
Chapter 6:Extracting
Information from data

Chapter:5 and 6
Computer Forensics
Investigation Procedures and
Response

Chapter 7: Passwords and

Encryption
Chapter 8: Common
forensic tools

Read: Computer Forensics Investigation

Procedures and Response
Complete:
Project #1-Create an evidence log
Project #2- Create a chain of custody log
Project #3- Research Forensic tool kit
software and answer questions
Read: Computer Forensics Investigation
Procedures and Response
Complete:
Paper #1 - 2-3 page paper explaining the
different types of encryption and best
practices
Paper #2- Recommendation to Stevenson
University for the best encryption
Case Study #8
Project #1-Detect and Eliminate Computer
Acquired Forensics (DECAF

Chapter 9: Pulling it all

together

Read: Computer Forensics Jump Start

Complete:
Project #1
Create a detailed forensic analysis report
Project #2
Complete crime scene documentation packet
Case Study #9
Case Study #10

Chapter 10: Testifying in

Court

Read: Chapter 10, Computer Forensics Jump

Start

Read: Computer Forensics Jump Start

Complete:
Case Study #6 Waco Search Warrant
Case Study #7 United States v. Naparst
Article Abstract

Complete the following:

Internet Ex. #1

Incident Response & Investigation Methods IS 1391 -

Page 9

Case Study #11

Final Exam
FINAL EXAM

Incident Response & Investigation Methods IS 1391 -

Page 10

Deliverable Schedule

DELIVERABLE

DUE

Readings

Weekly

Case Study

Weekly

Exams (Mid- term and Final)

Weeks 5, 8

Exercises

Weekly

Projects

Weeks 2, 4, 6, 8

Incident Response & Investigation Methods IS 1391 -

Page 11

Standards of Academic Honesty and Ethics

To promote the free exchange of ideas, the Stevenson University community depends upon the
academic honesty of all of its members. While acknowledging that the vast majority of students
conduct themselves with a fundamental honesty, the University seeks to set the highest ethical
standards. For students, academic honesty is merely a prelude to the personal integrity and
professional ethics that will govern their careers. In all cases, intellectual honesty provides the
clearest path to knowledge, understanding, and truth--the highest goals of an academic
institution. Therefore, the University expects honesty from all of its members in every academic
setting.
Academic honesty applies to all situations, including but not limited to documenting all sources
used in assignments, completing all tests without unauthorized assistance, and providing
accurate information on University documents.
Violations of Academic Honesty and Ethics
Any attempt to commit the following offenses constitutes academic dishonesty.

Cheating: Using unauthorized material to complete a test, quiz, examination, or

assignment. Cheating includes, but is not limited to, copying from other students, relying
upon aids or notes during a test, or consulting outside sources without the instructor's
permission. Giving unauthorized assistance to other students also constitutes cheating.

Plagiarism: Representing the words, ideas, research, or works of another as one's own.
Plagiarism can involve submitting work prepared entirely or in part by another person or
commercial service or borrowing material as direct quotation, partial quotation, or
paraphrase from published or unpublished sources without proper acknowledgement.
Students must document all print, online, and oral sources they use to complete
assignments.

Unauthorized Assistance: Preparing an assignment with the help of another student or

allowing another person, such as a tutor, to alter or revise an assignment beyond the
scope of collaboration the instructor has defined.

Fabrication: Presenting false data, sources, or research results for academic credit.

Multiple Submission: Presenting the same work, in whole or in part, for credit in more
than one course without the explicit permission of all interested instructors.

Incident Response & Investigation Methods IS 1391 -

Page 12

Other Violations: Including, but not limited to, lying, forgery, bribery, damaging or stealing
University or another's property, physically abusing another person, or verbally
threatening another.

Sanctions for Violating Standards of Academic Honesty and Ethics

Should a student violate the University's standards of academic honesty and ethics, he or she will
be liable to sanctions according to the following procedure. Infractions will lead to probation,
suspension, or expulsion of the student from the University.

Plagiarism Policy

Plagiarism is considered a serious offense by the University administration and can

result in the student's dismissal from the program.

Plagiarism is the intentional or unintentional presentation of another person's idea or

product as one's own.

Plagiarism includes, but is not limited to:

o
o
o
o
o

copying verbatim all or part of another's written work,

using phrases, conclusions, charts, figures, illustrations etc. without citing
sources,
using direct quotes without quotation marks,
offering another's work as one's own under any circumstances (including taking
credit for group work without participation)
Penalties include a grade of zero or F for work, a grade of F for the course, or
dismissal from the program.

Communication Policy

SCHOOL OF GRADUATE AND PROFESSIONAL STUDIES STUDENT & FACULTY

COMMUNICATION GUIDELINES

Effective communication between students and faculty is essential for student success and
faculty expectations. The process below is designed to help everyone feel comfortable that their
message is successfully delivered and acknowledged. Students and faculty should use the steps
below to close the loop in contacting each other. Note that for questions requiring a more
immediate response, students should contact faculty by telephone on their office extension.
1.) Student emails faculty with question or deliverable.
Incident Response & Investigation Methods IS 1391 -

Page 13

2.) Within one business day or as soon as the faculty sees the message, the faculty sends
an email message in response that acknowledges receipt and review of message from
the student. (not necessarily an answer)
3.) If the student does not get a response acknowledging the receipt within one business
day, the student should send the message again. If no acknowledgement is received, the
student should call the faculty member on their office extension or the phone number
listed in the course syllabus.
4.) If the student is still unable to reach the faculty member, they should then contact Cheryl
Bosse by email at cbosse@stevenson.edu
5.) Within 48 hours or sooner if project deadlines are involved, the faculty will respond with a
feedback message on questions or assignments.
6.) Students will respond with an acknowledgment of the feedback message from the faculty.

Student Responsibilities:
Students are responsible for communication with their instructor. There should be no delay in
asking questions, expressing concern about the clarity of concepts or requesting feedback on
assignments.
IMPORTANT:

In all email communications with the instructor, students must identify themselves in the
subject line of the message to include: Last Name, First Name, Course Number, and
Section Number.
All University email communication will be exchanged only over SU email accounts.
Students are responsible for the information sent to their SU email account and must
monitor their SU accounts each day for important University and course related
information. Students are required to view their SU email accounts directly or set up their
SU email account to forward to an account they view regularly during the day.

Students should expect to receive a great deal of information over their SU email account. If you
are not receiving regular information over a forwarded email address you should immediately
investigate the problem before missing important instructions or announcements.

Network Security Agreement

All components of the Stevenson University Network Security Agreement will be enforced in this
class. Failure to abide by this agreement will result in the loss of your access to the University
computer facilities. The loss of computer access will not excuse you from completing any of the
course requirements. Class assignments, announcements, and other materials may be
distributed via e-mail, the SU network or the Internet during the semester. It is the responsibility
of the student to regularly check for e-mail, to check the class network directory, to check the
Internet and to report to the instructor any problem with the campus telecommunications system.
Supplemental Comments from your Instructor:
One of the common tasks of a forensic computer examiner is performing the statistical
examination of documents including comparative analysis based on syntax, word use frequency
and content distribution patterns to ascertain authenticity, duplication and forgery.

Incident Response & Investigation Methods IS 1391 -

Page 14

Student with Disabilities

Ctrl+Click this link for details:

http://www.stevenson.edu/academics/academic_advising/disability_services.asp

Incident Response & Investigation Methods IS 1391 -

Page 15