COEN 252
Lecture Notes

Lecture Notes are exactly that: notes by the lecturer for the lecture. These notes are not publications and are not meant to replace the lectures. There purpose is to allow students a quick reference of the material covered for the purpose of preparing for class.

The notes are being updated while the course is being taught. Go here to access notes from last year.

Introduction Introduction (1) —

Ethics Introduction to Applied Ethics (1) Ethics Presentation (1)

Legal Issues Legal Issues (1)
Procedures for Collecting Evidence (2)
Legal Issues Presentation (1)
Coll. Evid. Pre. (2)

Internet Investigations Email Investigations (1) Email Tracing (1) Email Tracing Examples (2)

URL Obscuring (2) URL Obscuring

Gaining System Access Password Cracking (2) Password Cracking (2)

Principles of Evidence Search
on a Hard Drive Evidence Collection on a Hard Drive (3) HD Evidence Presentation (3)

Hard Drive Duplication(3), Chapt. 7, MPP Forensic Duplication (3)

Hard Drive Geometry (3) HD Geom Presentation (3)

Hard Drive Partioning &FAT File System (3) Partitioning and FAT File System Pres. (3)

Master Boot Record Example (4) Master Boot Record and NTFS Example. (4)

File Systems
and Search for Evidence
on a Hard Drive FAT (3/4) Partitioning and FAT File System Pres. (3/4)

FAT Example (4) FAT Example Pres. (4)

NTFS File System (4) NTFS Pres. (4)

NTFS Example (4) NTFS Example Pres. (4)

UNIX File Systems (5) NTFS Example Pres. (5)

Journaling File Systems (54)

Hard Drive Analysis Chapter 11, Mandia, Prosise, Pepe. (5) Data Analysis Technique Pres. (5)

Chapter 12, Mandia, Prosise, Pepe. (5) Data Analysis Technique Pres.

Review: Forensic Process for Hard Drive Analysis (5)

Live System Investigation Chapter 5, Mandia, Prosise, Pepe (6) Windows Life Analysis Pres. (5)

Chapter 6, Mandia, Prosise, Pepe (6) Unix Life Analysis Pres. (6)

Windows Forensics Toolkit Links (6) Windows Boot Disk (7)

Collecting Network-Based Evidence Chapter 8, Mandia, Prosise, Pepe (7) Collecting Network-Based Evidence
Presentation. (7)

Network Protocols Network Protocols (7) Network Protocols Pre. (7)

Network Analysis with TCPDump (8) Network Analysis with TCPDump (8)

Chapter 14, Mandia, Prosise, Pepe (7)

Snort User Manual (8) Analysis with SNORT (8)

Incident Response Incident Response (8)

Network Attacks Skoudis (7) Hacking Overview Pres. (8)

Buffer Overflow(9) Buffer Overflow Pres. (10)

See also Network Protocols Pre. (7)

Network Intrusion Detection Wu, Wong: Remote Sniffer Detection AbdelallahEljadj & al. Sniffer Wall (9)
Remote Sniffer Detection (9)

Intrusion Detection Systems (10)

Chapter 16, Mandia, Prosise, Pepe (10) Router Investigation (10)

Malware Ed Skoudis: Malware: Fighting Malicious Code Malware(9/10)

Chapter 15, Mandia, Prosise, Pepe (10) Malware Analysis (10)

Forensic Reporting Chapter 17, Mandia, Prosise, Pepe (10) Forensic Reporting (10)

Numbers in parentheses refer to the week of the lecture.

Additional Resources

TCP/IP Reference Card (directly) from SANS.org

©2004 Thomas Schwarz, S.J., COEN, SCU	SCU	COEN	COEN252	T. Schwarz
These documents are not intended for dissemination beyond SCU. CAVEAT LECTOR