Skip navigation.

Contact Us

Department of Computer Science

Janssen Engineering
Room 211
PO Box 441010
Moscow, Idaho
83844-1010

phone: 208-885-6592
fax: 208-885-9052

e-mail:
dept chair
graduate info
undergrad info
sys admin
webmaster

CS Department Banner Graphic

CS 447 Computer & Network Forensics

Total Credits: 3 cr

Course Coordinator: Jim Alves-Foss

URL: http://www2.cs.uidaho.edu/~ctaylor/CS447

Current Catalog Description: Competence in using established forensic methods in the handling of electronic evidence; rigorous audit/logging and date archival practices; prevention, detection, apprehension, and prosecution of security violators and cyber criminals.

Textbook: Phillips, Nelson, Enfinger, and Stuart, Guide to Computer Forensics and Investigations, Course Technology, 2006.

Smith, F. and Bace, R., A Guide to Forensic Testimony, Addison Wesley, 2003.

References: None.

Course Goals:

Law and Ethics:

  • Discuss the 4th Amendment to the US Constitution and its application to computer / network search and seizure
  • Discuss the implications of the Electronic Communications and Privacy Act, the US Patriot Act, US Federal and State guidelines
  • Identify ethical/legal issues in software piracy, reverse engineering, music sharing, IP, patents, copyrights, etc.
  • Apply the rules of evidence as they relate to an electronic crime scene and to obtaining digital evidence. (i.e. recognize what can and can NOT be seized at an electronic crime scene.)
  • Discuss the methods of ensuring the chain of custody of evidence.

Disk Forensics Fundamentals:

  • Distinguish the basics of NTFS vs. FAT32 vs. UNIX file systems and data storage
  • Describe wide varieties of data storage devices, how they operate, and how these devices contain evidence
  • Capture critical system information from computer disks
  • Capture critical information from a network incident

Network Forensics Fundamentals:

  • Describe the basics of good incident response techniques.
  • Identify the footprint of an attack and how a perpetrator can be identified.
  • Understand the challenges of network forensics vs. disk forensics.

Security, Management, and Forensics:

  • Describe the threats and vulnerabilities to which a computer system and/or network may be exposed
  • Design policies and associated controls to assist in providing appropriate incident response.
  • Identify IP, critical or confidential information from which a computer incident might arise.

Prerequisites by Topic: § Knowledge of fundamental techniques and methods of information assurance (CS 336)

Major Topics Covered in the Course:

  • History and Definitions (1 hour) (SP1 )
  • Investigative process, Investigative reconstruction (3 hours) (SP3)
  • Forensic tools (4 hours) (SP3)
  • Windows file systems (3 hours) (OS8)
  • Unix file system (4 hours) (OS8)
  • Unix case study, log files in depth (3 hours) (OS8)
  • Unix processes in depth, root kits (3 hours) (OS8)
  • Network forensics (4 hours) (SP3)
  • TCT or Sleuthkit Lab (4 hours) (SP3)
  • Criminology, criminal intentions (3 hours) (SP8)
  • Criminal element, laws (5 hours) (SP7)
  • Expert testimony (3 hours) (SP4)

Laboratory projects (specify number of weeks on each):

  • Become familiar with disk-based forensics tools – Used some of the tools provided in the text to examine a disk on a PC for evidence (1 week)
  • Unix/Linux Lab – focus is on learning Unix Forensics tools (1 week)
  • Network Forensics – Learn tools and techniques associated with Network forensics analysis (1 week)

Estimated Curriculum Category Content:

Area Core Advanced Area Core Advanced
Algorithms     Data Structures    
Software Design     Prog. Languages    
Computer Arch     Other   3

Oral and Written Communications: Every student is required to submit at least one written report (not including exams, tests, quizzes, or commented programs) of typically five to eight pages and to make no oral presentations.

Social and Ethical Issues: Social and ethical topics are discussed in relation to privacy issues when examining hard drives for data. Forth amendment rights are discussed in relation to surveillance that may occur during examination of hard drive data. How to observe and protect suspect’s rights and victim’s rights was discussed when electronic material for criminal prosecution was addressed. Overall: 10 hours or more Test questions were used to test over this material.

Theoretical Content: Algorithm complexity – 3 hours

Problem Analysis: Lab teams had to solve forensics problems. 6 – 8 hours

Solution Design: Students worked in teams for class exercises and for labs-10 or more hours including lab.

Course Outcomes: The following list documents the course outcomes and crossreferences them to the BSCS program outcomes. The letter at the beginning of each reference identifies the program outcome supported. The numbers sequentially identify the course outcome for this course. After completing CS 447 a student should know or be able to: