Course Objectives and Plan Summary
Eastern Florida
/ STATE
COLLEGE
CREDIT COURSES
Prefix:
CISC..
Course Title: Windows Forensics
All changes are effective fall term/year:
!f change
Fall
2015
is mandated by the State or accrediting body, select the effective term below:
Spring
Summer
Credit Level:
DV
Developmental Course Credits:
CC
1000-2999 level Course Credits:
UG
3000-4999 level Course Credits:
..;;13
Maximum credits student may earn for this course:
Honors Course
Diversity Infused
Course Fees- Lab Fee:l,_Y_e_s
I
3
I
I
DV Contact Hours:
CC Contact Hours:
.... 1
UG Contact Hours:
I
Repeatable for Credit
Diversity Dedicated
_.l Special Course Fee: I._N_o
_Jl If yes, fee form must be attached.
EFSC Discipline Identifier*: Computer Science_
* Refer to the following
,
webpage: http://web ll.easternflorida.edu/credentials/misc/alldisps.cfm
Faculty Credential Option:
[!] 1
0 2 03 04 05
CCVS Advisory Notes:
Course Credential Verification System--Refer to Curriculum Packet Instructions for more information.
Transferable College Credit Courses
Doctor's or masters degree in the teaching discipline or master's degree with a concentration
in the teaching discipline of 18 graduate semester hours.
Course Work: Computer Science or Computer Applications
Sign
AAC Date
Course Objectives and Plan Summary
CREDIT COURSES
CISC
3392
General Ed. Requirements: Communications Humanities Math Nat ural Science Social Science
[g]
Gordon Rule: Yes
No
Core Course per SBE 6A-14.0303: Yes
Grade Mode:
[!]A-F, I
Degree Type:
Os-u
[g] No
Ds-U-N-1 D S-U-I
DA-C, F, S
OA.A. OA.S. D A.T.C. D A.T.D.
D C.C.C.
Suitable for Online: DYes
IXJ No
Suitable for Hybrid: [{]Yes
No
[!] B.A.S D B.S.
Prerequisites:
CTS 1300, CTSC 1328, and COP 2805 or COP 3330 - all courses with a grade of "C" or
higher and departmental approval or admission to the Bachelor's program required.
Co-requisites:
None
Course Description: (maximum of 1000 characters for catalog use)
This course is an in-depth forensic analysis of Windows operating systems and media
exploitation focusing on current and past Windows operating systems. The student will
identify forensic evidence from a live Windows system as well as an acquired image. The
course covers the use of open source tools and proprietary forensics tools. Forensics
documentation and reporting including court room expert witness testimony procedures will
be covered. Lab Fee.
Acceleration Mechanism: (method of validating prior learning)
None
Rev. 11.12.2014
Page 2
Eastern Florida State College
CISC 3392 Windows Forensics
Course Outcome Summary
Course Information
Description
This course is an in-depth forensic analysis of Windows operating systems and
media exploitation focusing on current and past Windows operating systems. The
student will identify forensic evidence from a live Windows system as well as an
acquired image. The course covers the use of open source tools and proprietary
forensics tools. Forensics documentation and reporting including court room expert
witness testimony procedures will be covered. Lab Fee.
Evaluation Methodologies:
Observations
Presentations
Projects
Total Credits
3.00
Total Hours
48.00
Pre/Corequisites
Prerequisite
CTS 1300, CTSC 1328, and COP 2805 or COP 3330 - all courses with a grade of "C" or
higher and departmental approval or admission to the Bachelor's program required.
Core Abilities
Think critically and solve problems
Course Competencies
1.
Demonstrate system analysis concepts (Lecture 4/Lab 1 hours)
Domain
Cognitive
Level
Applying
Learning Objectives
1.a.
Contrast graphical user interfaces (GUI) used by Windows
1.b.
Compare system task scheduling differences between Windows versions
1.c.
Compare event logging procedures between Windows versions
1.d.
Describe the changes to the Windows registry
1.e.
Compare 16, 32, and 64 bit operating systems differences
1.f.
Explain the reasons for changes to the Windows file systems
1.g.
Describe the changes in the Windows bootup process
2.
Explain data collection during a live response (Lecture 4/Lab 1 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
2.a.
Demonstrate Locards' Exchange Principle
2.b.
Define line response methodologies
Course Outcome Summary - Page 1 of 3
2.c.
2.d.
2.e.
2.f.
3.
Explain order of volatility
Create documentation defining live response testing parameters
Define procedure differences used for collecting data between different Windows versions
List volatile information that can only be collected from a live investigation
Determine lab requirements for live acquisition analysis (Lecture 2/Lab 4 hours)
Domain
Cognitive
Level
Evaluating
Learning Objectives
3.a.
List the current tools available for live response analysis
3.b.
Compare tool differences for data collection and analysis
3.c.
Explain forensically sound data collection and storage techniques
3.d.
Create a live response testing environment
4.
Analyze Windows memory (Lecture 2/Lab 4 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
4.a.
Explain Windows processes and their creation mechanisms
4.b.
Explain Windows process memory data collection
4.c.
Perform a physical memory dump on a live Windows system
4.d.
Explain the integration of physical memory and the page file
4.e.
Analyze a physical memory dump
5.
Investigate the Windows registry (Lecture 2/Lab 3 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
S. a.
S.b.
S.c.
S.d.
S.e.
S.f.
S.g.
6.
Explain the structure of the Windows registry
Define registry key structures
List registry collection and analysis tools
Record changes to a Windows registry
Analyze system information obtained from the Windows registry
List portable device information obtained from registry analysis
Analyze user activity obtained from registry analysis
Identify Windows file types (Lecture 2/Lab 3 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
6. a.
Explain the types of evidence obtained from system log files
6.b.
Diagram the Windows event log file format
6.c.
Parse an event log file for forensics evidence
6.d.
Analyze a Windows Internet Information Services (liS) log
6.e.
Describe system log files used within different Windows versions
6.f.
Explain the Windows Recycle Bin log file
6.g.
Explain Windows file's metadata
6.h.
Display data obtained from the New Technology File System (NTFS) alternative data stream
6.i.
Using a Windows log build a timeline analysis
7.
Examine Windows executable files (Lecture 4/Lab 5 hours)
Domain
Cognitive
Level
Analyzing
Linked Core Abilities
Think critically and solve problems
Learning Objectives
7.a.
Define an executable file
7.b.
Explain forensics file documentation
7.c.
Demonstrate search techniques used on executable files
7.d.
Diagram the Portable Executable (PE) file header
7.e.
Explain the import/export table of an executable file
Course Outcome Summary - Page 2 of 3
?.f.
?.g.
?.h.
7.i.
7.j.
8.
Parse a Windows PE file for header information
Contrast static and dynamic file analysis
Define tools used for dynamic file analysis
Define the goals of trojanized binary files
Explore executable files for malware
Examine Windows rootkits (Lecture 2/Lab 2 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
B .a.
B .b.
B .c.
B .d .
B .e.
9.
Explain the operation of a rootkit
Categorize the types of rootkits
Catalog rootkit detection utilities
Demonstrate rootkit detection
Document a rootkit detection procedure
Identifying an expert witness (Lecture 1/Lab 2 hours)
Domain
Cognitive
Level
Analyzing
Learning Objectives
9.a.
Define the codes and ethics of an expert witness
9.b.
Explain an expert witnesses role in testifying
9.c.
Define expert witness impeachment
9.d.
Investigate ethical difficulties in expert testimony
9.e.
Write an investigative forensic report
9.f.
Demonstrate expert witness testimony
Developer/Reviser Date
02/20/2015
Developer/Reviser Name
Ross Decker
Course Outcome Summary - Page 3 of 3