IT 452

Special Topics in IT: Intro to Cyber Forensics (3 credits)

Text:  Accessdata Student Manual: Forensic Toolkit Academic Edition by Accessdata, 2016

Course Information: This course introduces a special topic of current interest in information technology, offered as the need arises. May be repeated for additional credit.

Prerequisite: Upper-level IT eligibility and consent of instructor

Required/Elective: Elective

Course Outcomes:

Students should be capable of:

  1. Discuss evidence, preservation, and chain of custody
  2. Discuss proper evidence acquisition methods
  3. Discuss requirements for disclosure per the Federal Rules of Civil Procedure
  4. Discuss proper evidence acquisition methods and explain spoliation
  5. Discuss encryption and how various types of passwords can be determined or bypassed
  6. Discuss compound files and how they are handled in FTK
  7. Discuss the common file systems and usual backgrounds for those file systems
  8. Discuss operating systems in general with respect to investigation differences
  9. Discuss the evidentiary material in a Windows operating system and how it is properly examined
  10. including likely nefarious findings
  11. Evidence an understanding of keyword searching including compound searches, fuzzy logic searches, and regular expression searching
  12. Discuss Known File Filters including the source of the hashes and the use of the hashes
  13. Prepare and expert report demonstrating the learning of all the concepts
  14. Pass the exam from AccessData related to FTK (and become an AccessDate Certified Examiner (ACE))

Student Outcomes: 

A. An ability to apply knowledge of computing and mathematics appropriate to the program’s student outcomes and to the discipline

I. An ability to use current techniques, skills, and tools necessary for computing practice

J. An ability to use and apply current technical concepts and practices in the core information technologies

Course Topics:

  1. Evidence and spoliation
  2. Chain of custody and logs
  3. FTK Imager and write protection
  4. FTK Processor
  5. File systems
  6. Operating Systems
  7. Windows Operating System details
  8. Meta data and timelines
  9. Log files and timelines
  10. Events and timelines
  11. Deleted files: recovery, recycle bin, file signatures and file carving
  12. Windows registry
  13. File slack, disk slack, used space
  14. Encryption, password recovery, password bypass
  15. Removed programs
  16. Known file filters (KFF) and uses
  17. Attached devices – USB, Bluetooth, firewire, other
  18. Compound files
  19. Desktop.ini, thumbs.db, lnk, prefetch and more
  20. Recently used files, temporary files, Internet history
  21. Searching: keywords, compound searches, fuzzy logic, and regular expressions
  22. Reporting requirements

One of 34 U.S. public institutions in the prestigious Association of American Universities
44 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
5th nationwide for service to veterans —"Best for Vets: Colleges," Military Times
KU Today