Computer and Internet Forensics




IT 664












D. Denning. Information Warfare and Security. Addison-Wesley, 1999


D. Schweitzer. Incident Response: Computer Forensics Toolkit. Wiley Publishing, 2003.





A. Marcella and R. Greenfield (Eds.). Cyber-Forensics: A Field Manual for Collecting, Examining, and preserving Evidence of Computer Crimes. Auerbach Publications (CRC Press), 2002.


E. Casey. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press, 2000.


M. Britz. Computer Forensics and Cyber Crime: An Introduction. Pearson Education (Prentice Hall), 2004.


I. Winkler. Spies Amongst Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don’t Even Know You Encounter Every Day. Wiley Publishers, 2005.









Course Description: This course provides a general overview of the theory and application of information warfare and forensic computing. The background information on information warfare highlights the inherent problems in today’s computing environment and indicated the necessity of forensics to complement computer security. The course focuses on information warfare arsenal and tactics, defensive strategies, and causalities; network surveillance tools for information warfare; fundamentals of computer forensics; computer forensics services and technologies; search and seizure; data recovery and identification and digital evidence collection, duplication, and preservation; computer image verification and authentication; reconstruction of past events; legal issues; and advanced topics in forensics.



Learning Objectives


By the end of this course, each student will have attained the following course objectives:

A.      Students will develop deep understanding of the concept and practices information warfare, its arsenal and tactics, and the defensive strategies used.


B.       Students will understand the concept of surveillance as a maintenance strategy, and the use of surveillance techniques to secure a computing environment including the inherent computer systems and networks.


C.       Students will develop a very good knowledge of the basic concepts computer forensics as well as its services and technologies.


D.      Students will understand the protocols involve in the search and seizure of a suspected computer or computer network; data recovery; identification, collection, duplication, and preservation of digital evidence; verification and authentication of a computer image, and the reconstruction of past events.


E.       Students will understand the legal issues involve in computer and Internet security and forensics.


F.       Student will develop the knowledge and techniques needed to become better users of computers and the Internet as well as develop the skills needed to become an effective employee.



Learning Outcomes


The subsequent course learning outcomes have a one-to-one correspondence with the preceding course objectives:


A.      Students will be able to

·         Compare and contrast the offensive and the defensive players in information warfare

·         Identify at least five leisurely and five criminal activities, respectively, that are conducted on the Internet

·         Discuss the type and extent of casualties that may result from offensive uses of the Internet

·         Explain the difference between steganography and cryptography and discuss their combined use relative to intrusion detection mechanisms


B.       Students will demonstrate

·         familiar knowledge of the operation of surveillance tools such as packet sniffers, workplace monitoring technologies, and intrusion detection systems


C.       Students will be able to

·         Explain the process involve in the acquisition, authentication, and analysis of computer evidence

·         Demonstrate where information may hidden on the typical computer

·         Discuss the significance of data mining

·         Compare and contrast the different type of tools available to extract information from a networked computer


D.      Students will

·         Clearly understand the procedures involve in pre-search intelligence and preparation, and search briefing

·         Demonstrate basic understanding of the principles of computer-based evidence.

·         Have intimate knowledge of the type of items that are taken in a computer or network search and seizure operation and the methods used to store and transport these items

·         Explain what is entailed in the external and internal examination of a computing system

·         Compare and contrast copying and imaging


E.       Students will demonstrate

·         Clear understanding of cyber-banking and the potential risks

·         Basic knowledge of such laws as those that affect data communications and Internet, intellectual property, consumer fraud, and contract formation


F.       Students will demonstrate

·         Responsible computer use on an unsecured network

·         An ability to be an effective team member

·         An ability to effectively communicate the results of a project in a technical report




Course Number

Midterm Examination Date

Final Examination Date


March 15, 2006

May 10, 2006



Procedures, Guidelines, and Expectations:


1.        ‘Knowing’ has shifted from being able to remember and repeat information to being able to find and use it (Noble Laureate Herbert Simon).


2.        ‘Usable knowledge’ is not the same as a mere list of disconnected facts. Experts’ knowledge is connected and organized around important concepts; it is ‘conditionalized to specify the contexts in which it is applicable; it supports understanding and transfer (to other contexts) rather than only the ability to rememberSince understanding is viewed as important, people must learn to recognize when they understand and when they need more information (How people learn – Bransford et al).


3.        The central focus of the course is active learning, understanding, and the manipulation of information. To accomplish these tasks, your cooperation, collaboration, and active participation are strongly encouraged.


4.         The teaching strategy will be a form of Just-in-Time teaching and inquiry.


5.        The evaluation of your performance in the course will be based on your active participation in your team and in the class as evidenced by you and your team’s thoughtful responses to discussion questions, team project, and individual midterm and final examinations. The midterm and final examinations will be research-based reports or short answers.


6.        The technical report should conform to The Chicago Manual of Style, 15h edition (


7.        CSIS student responsibilities guideline will be posted in Blackboard’s Course Information section. You are encouraged to download and read and become familiarized with the contents.


8.        Links to computer and Internet forensics websites will be made available through Blackboard’s External Links.


9.        The course will have a team-based focus. Membership to a team is optional. The typical team will consist of three to four students. Because team membership is optional, a team of one person is possible. Each team will engage in two levels of thoughtful discussions – one within team where team members exchange ideas with each other on the discussion questions and on other teams’ responses to reach a consensus on the team’s responses to each discussion question. The second level of response involves the team responding to three other teams’ responses to the discussion questions. The team number must be used to identify each team response to a discussion question and a response should be time stamped.


10.     To avoid the spread of malware, spyware, and viruses, etc., it is recommended that each student use an adequately computer system for his or her work.


11.     You are strongly encouraged to the Blackboard’s Digital Dropbox to submit assignments (such as midterm exam, final exam, project/report, etc) and general questions about the class. Assignments and general questions about the class will not be collected or addressed via email unless you are specifically given instructions to do an email submission. However, if you have personal questions that you consider private, you may send a personal email.


12.     Computer and Internet Forensics is a relatively new and evolving field that is currently more application oriented. The theory is still being developed.


13.     You are encouraged to get some or all of the suggested references depending on your motivation to develop an in-depth understanding of the topic. The Internet is an excellent source for information on computer and Internet forensics.


14.     Computer and Internet forensics is sometimes forensic computing.


15.     Class attendance will be monitored through the within team collaboration and exchange of ideas among teammates.


16.     Each of you is expected to log onto the Blackboard course site at least two or three times per week to keep current with the class assignments and expectations. You should expect to spend between six and eight hours per week on course work.


17.     From time to time, you will be updated with assignments, reminders, recommendations, and other course related information.








Dr. A. Joseph



163 Williams St., 2nd floor, Room 231



212 346 1492


Office Hours:


Wednesdays: 12:00pm – 5:00pm







Grading Policy


Final examination:



Mid-term examination:






Class and group preparation and participation:










Extra credit assignment (Optional):

Note: Only for students who are otherwise fulfilling all of the other course requirements.





Final grade Determination


Above 92%

90% -- 92%



85% -- 89%



80% -- 84%



75% -- 79%



70% --74%



65% -- 69%



Below 65%



Note: Grade is computed to the nearest whole number.











Information warfare arsenal and tactics: offensive and defensive players (military and civilian); play and crime; individual rights; open sources and competitive intelligence; national security; and casualties (civilian and non-civilian).


Assignment: to be assigned.




Defensive strategies: cryptography; steganography; anonymity; sanitization; trash disposal; shielding; authentication techniques including watermarking; access controls; filters; intrusion and misuse detection; and security awareness and training


Assignment: to be assigned.




Environment and network surveillance tools: packet sniffers; keystroke monitoring; workplace monitoring technologies; virus and spyware scanners; and data analysis tools.


Assignment: to be assigned.




Fundamentals of computer forensics: acquisition, authentication, and analysis of evidence; computer illusionary characteristics; IT personnel; Internet; overlooked sources of evidence; and data mining.


Assignment: to be assigned.




Midterm exam.




Computer forensics services and technologies: hard-drive tools; file viewers; net threat analyzer; unerase tools; CD-R utilities; drive imaging programs; disk wiping; forensic programs; and hardware.


Assignment: to be assigned.




Search and seizure: recovery of loss or hidden data; principles of computer-based evidence; pre-search intelligence; pre-search preparation; search briefing; search scene; operating dilemma; switched off and switched on computing systems; servers’ shutdown procedures; items taken in a seizure; and transport and storage of IT systems.


Assignment: to be assigned.




Data recovery and identification and digital evidence collection, duplication, and preservation: initial computer examination; reception of computing device; static electricity and electrical safety; external and internal examination; imaging and copying.


Assignment: to be assigned.




Computer image verification and authentication, and Reconstruction of past events.


Assignment: to be assigned.




Legal issues and advances in forensics: Internet law; Intellectual property; communication law; tort law, consumer fraud statutory violations; constitutional issues; contract formation; cyber-banking; International law; procedural law.


Assignment: to be assigned.






Review for final examination






Final exam.


Creativity and entrepreneurial innovation


Creativity is the ability to develop new ideas and to discover new ways to of looking at problems and opportunities


Entrepreneurial innovation is the ability to apply creative solutions amidst risk and uncertainty to those problems and opportunities that enhance or to enrich people’s while achieving success, growth, and profit.




The class will be team-based. However, team membership is voluntary. The teams of three or four students will be formed to prepare and submit response to class discussion questions and to work on a project/technical report. The project may be assigned or self-selected with the professor’s approval.