COEN 252 Computer Forensics Syllabus

Course Description

Procedures for identification, preservation, and extraction of electronic evidence. Auditing and investigation of network and host system intrusions, analysis and documentation of information gathered, and preparation of expert testimonial evidence. Forensic tools and resources for system administrators and information system security officers. Ethics, law, policy, and standards concerning digital evidence. (4 units)


The following are absolutely essential to take the course:

These are desirables:

Course Text Books

You also might want to learn PERL. We will not use a lot of Perl in the class, but it is very useful. There are many books out there depending on how much you already know. For the experienced Perl programmer, I recommend Effective Perl Programming by Joseph N. Hall and Randal L. Schwartz (Addison-Wesley), but you might also try out the Perl Cookbook by Tom Christiansen, Nathan Torkington at O'Reilly. If you are starting out, Programming Perl, 3rd Edition by Larry Wall, Tom Christiansen, Jon Orwant at O'Reilly (the camel book) or Learning Perl, 3rd Edition: Making Easy Things Easy and Hard Things Possible by Randal L. Schwartz, Tom Phoenix,also O'Reilly(the Lama book) are good choices.

The Incident Response book covers material from weeks 2 - 10. The Coutner Hack text covers material in weeks 7 - 9. I recommend buying from an online bookstore after comparing prices. (S: List Price: $49.99, Barnes&Noble $39.99, Amazon $31.32, Best price (used) $22.57, TextbookX $30.72; MPP: List price: $49.99, Amazon: $31.49, Barnes&Noble $44.99, TextbookX: $34.30 (3/25/05))


DatekWeekLecture TopicLaboratory Activity
  Week 1 Introduction. Nature of Forensics Evidence.
Ethical Issues. Email Tracing. Internet Fraud. URL Obscuring.
  Week 2 Evidence Collection. Legal Issues. Hard Drive Facts.

Email Tracing. URL Obscuring.

Password Cracking.

  Week 3 FAT File Systems I. Hard Drive Imaging. Ethics Case, Seizure Proceedings, Hard Drive Mirroring. Understanding MBR and BPB Evidence Search at Byte Level.Evidence Search with Forensics Tool.
  Week 4 NTFS, UNIX UNIX File Systems II. Searching for Evidence on a Hard Drive I. Creation of Forensics Boot Disks. Ethics case.
  Week 5 FAT, NTFS, UNIX File Systems III. Searching for Evidence on a Hard Drive II. IP Case
  Week 6 Live Systems Investigations. Emergency Assessment of a UNIX system.
  Week 7Network Protocols. Network Analysis. Introduction to network scanning tools. Ethereal, TCPDump.
  Week 8 Hacking I. Network Scanning. Traffic Analysis. Snort.
  Week 9 Hacking II. Organizational Security. Denial of Service Attacks.
  Week 10 Incidence Response Policies. Incidence Reporting. Forensics and Intrusion Detection Tools. Network Vulnerability Tools.
*Tentative: Check for updates.

Students will be required to sign a promise to not put their knowledge acquired to illegal or inethical use. While this statement has little legal significance, it might come in handy in the penalty face of your criminal proceedings.


Student grades are based on

Academic Integrity

This class is subject to the School of Engineering's Honor code.

Disability Accommodation Policy: To request academic accommodations for a disability, students must contact Disability Resources located in the Drahmann Center in Benson, Room 214 (Tel.: 554-4111, TTY 554-5445). Students must provide documentation of a disability to Disability Resources prior to receiving accommodations.

Sun Academic Alliance

You might also want to take the PERL courses offered by the Sun Academic Alliance. You can find instructions at ~tschwarz/ Homepage/ SunAcademicAllianceInstructions.html

2009 Thomas Schwarz, S.J., COEN, SCU SCU COEN COEN152 T. Schwarz
These documents are not intended for dissemination beyond SCU.        CAVEAT LECTOR