Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

CFRS 763 - Office of the Provost

advertisement 
For approval of new courses and deletions or
modifications to an existing course.
Course Approval Form
More information is located on page 2.
Action Requested:
Course Level:
X Create new course
Delete existing course
Modify existing course (check all that apply)
Title
Prereq/coreq
College/School:
Submitted by:
Subject Code:
Credits
Schedule Type
Repeat Status
Restrictions
VSE (Volgenau School of Engineering)
Robert Osgood
CFRS
Number:
Undergraduate
X Graduate
Grade Type
Department:
Ext:
3-5443
ECE
Email:
Effective Term:
763
X
(Do not list multiple codes or numbers. Each course proposal must
have a separate form.)
Title:
Fall
Spring
Summer
rosgood@gmu.edu
Year
2013
Current
Banner (30 characters max including spaces)
New
Registry Forensics - Windows
Credits:
3
(check one)
Grade Mode:
Fixed
Variable
X
(check one)
X
to
X
Repeat Status:
Not Repeatable (NR)
Repeatable within degree (RD)
Repeatable within term (RT)
(check one)
Regular (A, B, C, etc.)
Satisfactory/No Credit
Special (A, B C, etc. +IP)
X
X
Schedule
Type Code(s):
(check all that
apply)
Prerequisite(s):
CFRS 500, CFRS 661
Lecture (LEC)
Lab (LAB)
Recitation (RCT)
Internship (INT)
Total repeatable
credits allowed:
Independent Study (IND)
Seminar (SEM)
Studio (STU)
Corequisite(s):
Special Instructions: (detailed description of modification, add restrictions for major, college, or degree; cross-listed courses; hard-coding; etc.)
Catalog Copy for NEW Courses Only (Consult University Catalog for models)
Description (No more than 60 words, use verb phrases and present tense)
Notes (List additional information for the course)
Presents the concepts, tools, and techniques used for forensic
collection, identification, and analysis of the Windows registry; review
the structure and layout of the Windows registry and be introduced to
the types of artifacts that can be found within; evaluate and interpret
data from the Windows registry with emphasis on hand-on exercises.
Course will consist of exercises conducted in a lab
environment with concurrent lectures (combined total of 3
credits for lab and lecture exercises).
Indicate number of contact hours:
When Offered: (check all that apply)
X
Hours of Lecture or Seminar per week:
X Spring
Fall
Summer
3
Hours of Lab or Studio:
Approval Signatures
Andre Manitius, Chair
Department Approval
Date
College/School Approval
Date
If this course includes subject matter currently dealt with by any other units, the originating department must circulate this proposal for review by
those units and obtain the necessary signatures prior to submission. Failure to do so will delay action on this proposal.
Unit Name
Unit Approval Name
Unit Approver’s Signature
Date
For Graduate Courses Only
Graduate Council Member
Provost Office
Graduate Council Approval Date
For Registrar Office’s Use Only: Banner_____________________________Catalog________________________________
revised 10/7/09
SCHOOL PROPOSAL TO THE GRADUATE COUNCIL
BY
THE VOLGENAU SCHOOL OF ENGINEERING
1.
CATALOG DESCRIPTION
(a) CFRS 763 (3:3:0) Registry Forensics – Windows
(b) Prerequisites: CRFS 500, 661
(c) Catalog Description: Presents the concepts, tools, and techniques used for forensic collection, identification, and analysis of the
Windows registry; review the structure and layout of the Windows registry and be introduced to the types of artifacts that can be
found within; evaluate and interpret data from the Windows registry with emphasis on hand-on exercises.
2.
JUSTIFICATION
(a) Course Objectives:
This course will present students with the basic tools and techniques used to conduct a forensic analysis of the Windows registry.
Students will apply industry best practices to both the collection and subsequent analysis of Windows registry files, with an
emphasis on hands-on exercises using currently available open-source and commercial tools.
(b) Course Necessity:
The course builds upon the introductory concepts to Windows registry analysis laid out in Computer Forensics courses CFRS500
Introduction to Technology of Forensics Value; and, CFRS661 Digital Media Forensics; and, is an essential step in most all types
of forensic analyses from theft of intellectual property to malware analysis. Additionally, with the continued usage of Windows
XP and Windows 7 in enterprise-level environments, it becomes necessary to fully understand the differences in the registry files
found in each version of the Windows operating system. Additionally, by addressing this topic as a separate course, the
Computer Forensics program differentiates itself from other graduate programs that do not offer this course.
(b) Relationship to Existing Courses;
As noted above, this course builds on the core courses CFRS500 Introduction to Techniques of Forensics Value and CFRS661
Digital Media Forensics. Both of these courses currently contain teaching modules that skim the surface of this topic in an
attempt to whet the appetites of students. These brief introductions are a lead-in to this new course, which is not duplicative of
any other course within the Computer Forensics Program.
3.
APPROVAL HISTORY
ECE Department
Date: October 12th, 2012
VSE Graduate Committee
Date:
4.
SCHEDULING
Every fall and spring semester, starting Fall 2013 and every regular semester thereafter.
5.
PROPOSED INSTRUCTORS
Robert Osgood, Jonathan Fowler, and other suitably qualified faculty
6.
COURSE OUTLINE
(a) Overview
Week 1
Course Overview/Administrative Items; Windows Registry Overview
Overview of course presented, syllabus reviewed, administrative items discussed. Topic of discussion will be general
background/overview/evolution of the Windows registry.
Week 2
Registry Hives - Overview
Topics of discussion will include the main Windows registry hive files of interest to forensic analysts: SAM, Security,
System, Software, and NTuser..
Week 3
Registry Hives – SAM, Security, NTuser
Topics of discussion will include the SAM, Security, and NTuser registry hives and what types of information can be found
in each. Hands-on exercises will allow students to locate information pertaining to specific user accounts and how to
interpret that information.
Week 4
Registry Hives – System, Software
Topics of discussion will include the System and Software registry hives and what types of information can be found in
each. Hands-on exercises will allow students to locate information pertaining to specific user accounts and how to interpret
that information.
Week 5
Basic Registry Analysis – Commercial and Open Source Registry Analysis Tools
Students will be shown multiple commercial and open-source tools used for registry analysis and then given sample registry
hives to analyze with those tools. Tools to be shown include, but are not limited to: Registry Viewer, EnCase, RegRipper,
YARU, and Registry Decoder.
Week 6
Basic Registry Analysis – Live Registry Analysis
Students will discuss the rationale, tools, and methodologies used in conducting an analysis on a live Windows registry.
Hands-on exercises will include review of live registry hives using tools discussed in Week 5.
Week 7
Basic Registry Analysis – Post-Mortem Registry Analysis/Review for Mid-Term
Students will discuss the rationale, tools, and methodologies used in conducting a post-mortem analysis on Windows
registry files. Hands-on exercises will include review of registry hives using tools discussed in Week 5. Review of material
covered on the mid-term will also be held.
Week 8
Mid-Term Exam
Mid-Term Exam will be given.
Week 9
Advanced Registry Analysis – Comparative Registry Analysis
Students will discuss methodologies for performing analyses of registry hives from the same computer from different points
in time (i.e. Windows restore points, Volume Shadow Copies). Hands-on exercises will be presented.
Week 10
Advanced Registry Analysis – Unallocated/Slack Space in Registry Hives
Students will discuss methodologies for performing analyses of slack and unallocated space in registry hives, and discuss
registry hive/key reconstruction. Hands-on exercises will be presented..
Week 11
Advanced Registry Analysis – Malware/APT Analyses
Topics of discussion will include which registry hives/keys malware uses to maintain persistence and how to locate when
malware has placed itself there. Hands-on exercises will be presented..
Week 12
Case Studies – Removable Devices
Different case studies will be presented in which students will have to analyze different registry hives in order to identify
and track removable devices.
Week 13
Case Studies – Tracking/Reconstructing User Activity
Different case studies will be presented in which students will have to analyze different registry hives in order to identify
and reconstruct user activities.
Weeks 14
Case Studies/Course Review
Additional case studies/scenarios will be presented to students for discussion/analysis. Review for the Final Exam will be
held.
Week 15
Final Project
Final projects will be presented.
(b) Required Reading and Reference Material
Required Text:
Title:
Author:
Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry
Carvey, H.
Publisher:
ISBN-10:
ISBN-13:
Elsevier, Inc. (2011)
N/A
978-1-59749-580-6
(c) Student Evaluation Criteria
Homework/Hands-on Projects:
Midterm:
Final Project:
35%
30%
35%
Related documents
Membership Of The Students` Union
Membership Of The Students` Union
Donor Registry Form
Donor Registry Form
Clinical Registries In Hand Surgery
Clinical Registries In Hand Surgery
8. Land Registry System in Northern Ireland_Patricia Montgomery
8. Land Registry System in Northern Ireland_Patricia Montgomery
preliminary proposal for non-TVT Registry funded research
preliminary proposal for non-TVT Registry funded research
Gown and Hood Rental Form
Gown and Hood Rental Form
FORM 73-NOTICE TO PRINCIPAL REGISTRY OF
FORM 73-NOTICE TO PRINCIPAL REGISTRY OF
Download
advertisement