| powered by |  |
| powered by | |
|
| Course: CIS247DA First Term: 2003 Summer I
Final Term: Current
Final Term: 2018 Summer
|
Lecture 3 Credit(s) 4 Period(s) 3.7 Load
Credit(s) Period(s)
Load
Subject Type: OccupationalLoad Formula: S |
| MCCCD Official Course Competencies | |||
|---|---|---|---|
| 1. Explain the steps in incident verification (I)
2. List and demonstrate the steps in searching for clues in incident response (I, V) 3. Explain the steps in the forensics process---seizure, preservation, analysis, and presentation (II) 4. Explain the steps in media analysis (II) 5. Audit a compromised system to determine its current status and probable attack methods and vectors (II) 6. Demonstrate evidence collection procedures (II) 7. Image and verify a hard disk using ddd and md5sum software. (II) 8. Identify files hidden in alternate data streams using LADS (Locate Alternate Data Streams) (II) 9. Recover deleted files under Windows and Unix (II) 10. List possible sources of logs that can be used to verify the incident (II) 11. Prepare and present a forensics report on an incident (II) 12. Describe the appropriate time to involve law enforcement in incident response (I, II) 13. Identify and explain the means of incident prevention (III) 14. Demonstrate incident and forensics documentation to be completed at each step (I, II, IV) 15. Explain proper file handling procedures during evidence preservation and analysis (V) 16. Explain and demonstrate media imaging for analysis (V) 17. Identify and demonstrate tools used in incident response (I, VI) 18. Identify and demonstrate tools used in forensics analysis (II, VI) 19. Identify and explain legal permissions and restrictions in incident response and forensics analysis (VII) 20. Prepare documents and evidence for a trial (VII) 21. Identify malicious codes under Windows and Unix (VIII) 22. Explain malicious code signatures (VIII) | |||
| MCCCD Official Course Competencies must be coordinated with the content outline so that each major point in the outline serves one or more competencies. MCCCD faculty retains authority in determining the pedagogical approach, methodology, content sequencing, and assessment metrics for student work. Please see individual course syllabi for additional information, including specific course requirements. | |||
| MCCCD Official Course Outline | |||
|
I. Incident Response Overview
A. Policies and procedures B. External incident source C. Internal incident source D. Tool kit and equipment preparation E. Incident responder vs. incident investigator II. Forensics Response Overview A. Verifying occurrence of an incident B. Collecting evidence C. Chain of custody D. Media analysis E. Finding hidden disk space F. Live system response and analysis G. Dead system response and analysis H. Steps to avoid destroying evidence I. Building a profile of the incident J. Interviewing key people K. Recording findings L. Preparing a report M. Handling volatile evidence III. Incident Prevention A. User and system administrator education and awareness of incidents B. Incident containment and mitigation C. Incident correction IV. Documenting the Incident A. Collecting and protecting evidence B. Incident post mortem V. Forensics theory on any Operating Systems A. Seizure B. Preserving evidence C. Analysis D. Presentation E. Searching for clues on Windows system F. Searching for clues on UNIX system G. File system forensics H. Network forensics I. Imaging a system VI. Toolkits A. Building a forensics toolkit B. Review of existing tools C. Development of custom tools VII. Legal Permissions and Restrictions A. Working with law enforcement B. Collecting evidence for trial C. Forensics challenge VIII. Malicious Code and Binaries Dissection and Analysis A. Back doors B. Rootkits C. Trojan horses D. Worms E. Viruses F. Logic bomb | |||
MCCCD Governing Board Approval Date:
6/17/2003 | |||