COURSE SYLLABUS
14-832: Cyber Forensics and Incident Response Capstone
Fall 2024
Instructor: Nektarios Leontiadis
Email: leontiadis@cmu.edu
Office Hours: See schedule
Instructor: William Nichols
Email: wrnichol@andrew.cmu.edu
Office Hours: See schedule
Course Description:
The CyFIR concentration capstone course challenges students by placing them in the middle of a realistic hands-on investigation taking place immediately after a crime. Over the course of the semester students will work together in groups to take the case through every phase of an investigation, from active incident response to post-mortem investigation, and even to prosecution. Students will do their best to represent their client's interests, both by finding evidence to exonerate their client, as well as to implicate the guilty parties. Instructors will guide students to utilize advanced event correlation and reconstruction techniques as well as emerging data collection and analysis approaches to best convey their findings to different types of target audiences. Using both host-based and network-based forensics techniques, students will learn to effectively synthesize data, utilize problem solving skills to draw investigative conclusions, and document their analysis. Additionally, students will be required to follow sound forensic methodologies to protect and prepare digital evidence throughout their mock investigations. Furthermore, students will learn to effectively summarize and communicate their forensic analysis through technical report writing and communication best practices. Upon completion of this course, students will be prepared to participate in and guide enterprise cyber security, security incident response, and forensic operations for large organizations.
Number of Units: 12
Prerequisites:
14-761: Applied Information Assurance
14-822: Host Based Forensics
Corequisite:
14-823: Network Based Forensics
Course Objectives:
The goal of this course is to give students the opportunity to actualize the technical skills they have acquired during the prerequisite courses
in such a way that they can utilize them in the real world.
In support of this primary objective the following specific objectives are targeted:
Course Website: https://canvas.cmu.edu/courses/43111
Canvas will be used to distribute information on assignments, course material, grades, and general course announcements.
Class Schedule:
This course has been designed to be virtual/remote-first. As such, all the sessions will be held over Zoom at a predefined timeslot: Mondays 5pm-7:50pm ET/ 2pm-4:50pm PT.
Additional changes to the course delivery may be made during the semester if required, any such changes will be communicated to the entire class via Canvas announcements.
The first course meeting will be held over Zoom on Monday August 26th at the scheduled time. During this lecture period students will be assigned to a group which they will remain in for the remainder of the course. All deliverables will be group based[1], so it is imperative that all group members contribute equally. As such, all groups will be required to draft a team contract (a sample template is available on Canvas). Each team member is to sign the contract and the completed document must be submitted via Canvas within 1 week. Students who do not fulfill their obligations under this contract may have their grades adjusted downward from that of their team-mates.
During the course of the semester student teams will be assigned to conduct a large-scale investigation of an incident[2]. During the first half of the semester additional evidence will be published on a weekly basis. Each week for the first half of the semester students will be divided into breakout rooms to provide updates on their investigations over Zoom. These updates should be in a presentation format which provides clarity to a non-technical audience, with available supporting materials to answer in depth questions. Near the middle of the semester, each team will be responsible for submitting their completed Incident Report.
During the second half of the semester, we will conduct a series of mock hearings during which each week one team will be responsible for providing testimony defending the actions of a participant in the incident, and one team will be responsible for prosecuting that individual. In this manner each team will have one turn acting in each role[3].
In the final 2 weeks of class each team will provide a presentation on their conduct as a team during the course of the semester – what challenges they faced, what worked, what didn’t, and areas for improvement, and the instructors will provide a complete debriefing of the ground truth of the incident as it occurred.
Week # | Date | Objective | Deliverable |
Week 1 | Aug 26 | CyFIR Capstone Introduction & Overview Evidence drop | |
Week 2 | Sep 2 | (Labor Day) | Team Contract |
Week 3 | Sep 9 | All teams - Interim Presentations - 30’ per team Discussion on extreme clarity Evidence drop | Interim presentation |
Week 4 | Sep 16 | Virtual office hours during class Evidence drop | |
Week 5 | Sep 23 | All teams - Interim Presentations - 30’ per team Evidence drop | Interim presentation |
Week 6 | Sep 30 | Virtual office hours during class Evidence drop | |
Week 7 | Oct 7 | All teams - Interim Presentations - 30’ per team Evidence drop | Interim presentation |
Week 8 | Oct 14 | (Fall Break) | |
Week 9 | Oct 21 | Virtual office hours during class Evidence drop | |
Week 10 | Oct 28 | All teams - Interim Presentations - 30’ per team Virtual office hours during class | Interim presentation |
Oct 31 | MAJOR DELIVERABLE | Full Findings Report | |
Week 11 | Nov 4 | Hearing #1 – Team 1 Prosecuting Team 2 Defending | Prosecution:
Defense:
|
Week 12 | Nov 11 | Hearing #2 – Team 2 Prosecuting Team 3 Defending | As above |
Week 13 | Nov 18 | Hearing #3 – Team 3 Prosecuting Team 1 Defending | As above |
Week 14 | Nov 25 | Team debrief | |
Week 15 | Dec 2 | Instructor debrief |
Textbook Information:
This course does not have a textbook.
Evaluation & Grading:
Team Contract | 2% |
Interim Briefing #1 | 3% |
Interim Briefing #2 | 3% |
Interim Briefing #3 | 3% |
Interim Briefing #4 | 3% |
Incident Report | 35% |
Defense Testimony | 25% |
Prosecution Testimony | 25% |
Extra Credit | Variable |
Total | 100% |
Assignments
Assignment submissions are due by 12:01 am PT on their due date, unless otherwise specified. Assignments received after 12:01 am PT will be considered late. Late assignments will be docked 10% per day until they are submitted. A grading rubric will be distributed with each assignment. A late incident report will be docked 25% per day as late submissions will present an unfair disadvantage to other teams in preparing their cross examinations.
Assignment #1: Team Contract | Each team of students will draft their own team contract based upon the criteria provided. All team members must sign the contract and return it to the instructors. Students who fail to abide by the terms of the team contract may not receive full credit for team assignments impacted by their behavior. |
Assignment #2: Interim Briefings | At regular intervals throughout the investigation process teams will be responsible for providing an updated briefing to the course instructors. During these briefings the instructors will act as members of upper management, and teams will be evaluated primarily on their ability to clearly communicate their progress, their challenges, as well as clearly defining their current beliefs and their degree of certainty for each claim. Teams will not be evaluated on the technical quality of their investigations during the interim briefings. These briefings are primarily designed to give students a chance to practice their ability to clearly communicate findings while giving the instructors an opportunity to provide course correction advice to the students to ensure they remain on track for delivering the best possible final incident report (see next assignment). |
Assignment #3: Incident Report | Each team will submit one final incident report detailing their findings. This report must be written in a deductive manner that is understandable by a nontechnical audience while still providing all the necessary details for a technical audience to be able to understand the exact process by which the investigation was conducted and what specific evidence was found to support the findings contained within the report. |
Assignment #4: Defense Testimony & Prosecution Testimony | Each hearing will focus on one specific area of the investigation. Within the defined scope of the hearing one team will be responsible for prosecuting whatever crimes they believe occurred within that specific area of the investigation. Another team will be responsible for defending against these claims. The entire content of the prosecuting team’s incident report may be used by both teams during this hearing. The defense team may introduce whatever portions of their own incident report they wish to include as they see fit. The prosecution may not address portions of the defense’s incident report which have not been introduced into evidence. Teams are encouraged to purposefully take advantage of any possible interpretations of ambiguously worded statements in the opposing team’s incident report, or poorly supported claims therein. Teams may not rely on evidence that was not contained in an included incident report. |
Class Participation and Discussions
In the first half of the semester, and whenever there is no explicit deliverable (see Schedule), we expect students to join the discussion virtually to ask questions related to the material distributed on a given week or the weeks prior.
During group discussions and hearings, please be respectful and courteous to your peers. While tensions may rise due to the adversarial nature of the proceedings, we must always retain our professional demeanor and respect. Personal attacks will not be tolerated.
Discussions that take place outside of the classroom will be conducted via Canvas.
Class Policies and Expectations
Since this is a capstone course, students will be expected to effectively manage their schedules and work independently outside of the scheduled class time. The schedule may be changed during the course as required. If the instructors must cancel a meeting, notification will be sent out as early as possible. Additionally, a pool of 100 points of extra credit will be shared among all students who quote this sentence in a message to the instructors within 72 hours of the first class. Since these points will be divided among those who do so, it would benefit you most to keep this to yourself. Consider it a reward for reading all the course materials carefully.
Take Care of Yourself:
Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.
All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.
If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/. Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.
CMU Academic Integrity Policy:
(https://www.cmu.edu/policies/student-and-student-life/academic-integrity.html)
The INI academic integrity policy can be found in the INI Student Handbook:
(http://www.ini.cmu.edu/current_students/handbook/ , section IV, subsection III)
The INI adheres to Carnegie Mellon University’s Policy on Academic Integrity. The policy includes the University expectations around academic integrity and provides definitions of cheating, plagiarism, and unauthorized assistance. A review of the University’s Academic Disciplinary Actions procedures is also recommended. These procedures outline the process for investigating, reporting, and adjudicating violations of the University Policy on Academic Integrity, in addition to the appeal process. Students are responsible for reviewing and understanding the University policies below:
University Academic Disciplinary Actions procedures:
https://www.cmu.edu/student-affairs/ocsi/students/undergrad%20responding/revised-ai-procedures19-20.pdf
In addition to the university and college-level policies, it is the INI’s policy that an INI student is not permitted to drop the course in which the academic integrity violation occurred. The INI may recommend additional sanctions beyond course-level action.
This policy applies, in all respects, to this course.
[1] Course objective #2
[2] Course objective #1