ini_cmu_long_cmured1.png

COURSE SYLLABUS

14-832: Cyber Forensics and Incident Response Capstone

Fall 2024

Instructor: Nektarios Leontiadis

Email: leontiadis@cmu.edu

Office Hours:        See schedule

Instructor: William Nichols

Email: wrnichol@andrew.cmu.edu

Office Hours:        See schedule

Course Description:

The CyFIR concentration capstone course challenges students by placing them in the middle of a realistic hands-on investigation taking place immediately after a crime. Over the course of the semester students will work together in groups to take the case through every phase of an investigation, from active incident response to post-mortem investigation, and even to prosecution. Students will do their best to represent their client's interests, both by finding evidence to exonerate their client, as well as to implicate the guilty parties. Instructors will guide students to utilize advanced event correlation and reconstruction techniques as well as emerging data collection and analysis approaches to best convey their findings to different types of target audiences. Using both host-based and network-based forensics techniques, students will learn to effectively synthesize data, utilize problem solving skills to draw investigative conclusions, and document their analysis. Additionally, students will be required to follow sound forensic methodologies to protect and prepare digital evidence throughout their mock investigations. Furthermore, students will learn to effectively summarize and communicate their forensic analysis through technical report writing and communication best practices. Upon completion of this course, students will be prepared to participate in and guide enterprise cyber security, security incident response, and forensic operations for large organizations.

Number of Units: 12

Prerequisites:

14-761: Applied Information Assurance

14-822: Host Based Forensics

Corequisite:

14-823: Network Based Forensics


Course Objectives: 

The goal of this course is to give students the opportunity to actualize the technical skills they have acquired during the prerequisite courses
in such a way that they can utilize them in the real world.

In support of this primary objective the following specific objectives are targeted:

  1. Students should be able to conduct a full forensic investigation, managing efforts through all phases of an investigation from triggering event to presenting testimony.
  2. In any real-world organization, it is almost unheard of to work in isolation, as such students should become familiar with working as a part of a team.
  3. In any real-world organization, reporting is a requirement. As such, students should become familiar with reporting results to different types of audiences (technical / nontechnical) and how to convey their results in a persuasive manner both verbally and in written form.
  4. Real world CyFIR challenges rarely fit neatly into existing documented practices, as such students should be capable of:
  1. Doing independent research with a focus on technical aspects of CyFIR
  2. Developing creative methods for solving challenges using only the tools already available within their organization

Course Website: https://canvas.cmu.edu/courses/43111

Canvas will be used to distribute information on assignments, course material, grades, and general course announcements.

Class Schedule:

This course has been designed to be virtual/remote-first. As such, all the sessions will be held over Zoom at a predefined timeslot: Mondays 5pm-7:50pm ET/ 2pm-4:50pm PT.

Additional changes to the course delivery may be made during the semester if required, any such changes will be communicated to the entire class via Canvas announcements.

The first course meeting will be held over Zoom on Monday August 26th at the scheduled time. During this lecture period students will be assigned to a group which they will remain in for the remainder of the course. All deliverables will be group based[1], so it is imperative that all group members contribute equally. As such, all groups will be required to draft a team contract (a sample template is available on Canvas). Each team member is to sign the contract and the completed document must be submitted via Canvas within 1 week. Students who do not fulfill their obligations under this contract may have their grades adjusted downward from that of their team-mates.

During the course of the semester student teams will be assigned to conduct a large-scale investigation of an incident[2]. During the first half of the semester additional evidence will be published on a weekly basis. Each week for the first half of the semester students will be divided into breakout rooms to provide updates on their investigations over Zoom. These updates should be in a presentation format which provides clarity to a non-technical audience, with available supporting materials to answer in depth questions. Near the middle of the semester, each team will be responsible for submitting their completed Incident Report.

During the second half of the semester, we will conduct a series of mock hearings during which each week one team will be responsible for providing testimony defending the actions of a participant in the incident, and one team will be responsible for prosecuting that individual. In this manner each team will have one turn acting in each role[3].

In the final 2 weeks of class each team will provide a presentation on their conduct as a team during the course of the semester – what challenges they faced, what worked, what didn’t, and areas for improvement, and the instructors will provide a complete debriefing of the ground truth of the incident as it occurred.

Week #

Date

Objective

Deliverable

Week 1

Aug 26

CyFIR Capstone Introduction & Overview

Evidence drop

Week 2

Sep 2

(Labor Day)

Team Contract

Week 3

Sep 9

All teams - Interim Presentations - 30’ per team

Discussion on extreme clarity

Evidence drop

Interim presentation

Week 4

Sep 16

Virtual office hours during class

Evidence drop

Week 5

Sep 23

All teams - Interim Presentations - 30’ per team

Evidence drop

Interim presentation

Week 6

Sep 30

Virtual office hours during class

Evidence drop

Week 7

Oct 7

All teams - Interim Presentations - 30’ per team

Evidence drop

Interim presentation

Week 8

Oct 14

(Fall Break)

Week 9

Oct 21

Virtual office hours during class

Evidence drop

Week 10

Oct 28

All teams - Interim Presentations - 30’ per team

Virtual office hours during class

Interim presentation

Oct 31

MAJOR DELIVERABLE

Full Findings Report

Week 11

Nov 4

Hearing #1 – Team 1 Prosecuting Team 2 Defending

Prosecution:

  • List of crimes via Canvas
  • Prosecution presentation

Defense:

  • Optional presentation with defense’s evidence

Week 12

Nov 11

Hearing #2 – Team 2 Prosecuting

Team 3 Defending

As above

Week 13

Nov 18

Hearing #3 – Team 3 Prosecuting

Team 1 Defending

As above

Week 14

Nov 25

Team debrief

Week 15

Dec 2

Instructor debrief

Textbook Information:

This course does not have a textbook.

Evaluation & Grading:

Team Contract

2%

Interim Briefing #1

3%

Interim Briefing #2

3%

Interim Briefing #3

3%

Interim Briefing #4

3%

Incident Report

35%

Defense Testimony

25%

Prosecution Testimony

25%

Extra Credit

Variable

Total

100%

Assignments

Assignment submissions are due by 12:01 am PT on their due date, unless otherwise specified. Assignments received after 12:01 am PT will be considered late. Late assignments will be docked 10% per day until they are submitted. A grading rubric will be distributed with each assignment. A late incident report will be docked 25% per day as late submissions will present an unfair disadvantage to other teams in preparing their cross examinations.  

Assignment #1:

Team Contract

Each team of students will draft their own team contract based upon the criteria provided. All team members must sign the contract and return it to the instructors. Students who fail to abide by the terms of the team contract may not receive full credit for team assignments impacted by their behavior.

Assignment #2:

Interim Briefings

At regular intervals throughout the investigation process teams will be responsible for providing an updated briefing to the course instructors. During these briefings the instructors will act as members of upper management, and teams will be evaluated primarily on their ability to clearly communicate their progress, their challenges, as well as clearly defining their current beliefs and their degree of certainty for each claim.

Teams will not be evaluated on the technical quality of their investigations during the interim briefings. These briefings are primarily designed to give students a chance to practice their ability to clearly communicate findings while giving the instructors an opportunity to provide course correction advice to the students to ensure they remain on track for delivering the best possible final incident report (see next assignment).

Assignment #3:

Incident Report

Each team will submit one final incident report detailing their findings. This report must be written in a deductive manner that is understandable by a nontechnical audience while still providing all the necessary details for a technical audience to be able to understand the exact process by which the investigation was conducted and what specific evidence was found to support the findings contained within the report.

Assignment #4:

Defense Testimony

&

Prosecution Testimony

Each hearing will focus on one specific area of the investigation. Within the defined scope of the hearing one team will be responsible for prosecuting whatever crimes they believe occurred within that specific area of the investigation. Another team will be responsible for defending against these claims.

The entire content of the prosecuting team’s incident report may be used by both teams during this hearing. The defense team may introduce whatever portions of their own incident report they wish to include as they see fit. The prosecution may not address portions of the defense’s incident report which have not been introduced into evidence.

Teams are encouraged to purposefully take advantage of any possible interpretations of ambiguously worded statements in the opposing team’s incident report, or poorly supported claims therein. Teams may not rely on evidence that was not contained in an included incident report.

Class Participation and Discussions

In the first half of the semester, and whenever there is no explicit deliverable (see Schedule), we expect students to join the discussion virtually to ask questions related to the material distributed on a given week or the weeks prior.

During group discussions and hearings, please be respectful and courteous to your peers. While tensions may rise due to the adversarial nature of the proceedings, we must always retain our professional demeanor and respect. Personal attacks will not be tolerated.

Discussions that take place outside of the classroom will be conducted via Canvas.


Class Policies and Expectations

Since this is a capstone course, students will be expected to effectively manage their schedules and work independently outside of the scheduled class time. The schedule may be changed during the course as required. If the instructors must cancel a meeting, notification will be sent out as early as possible. Additionally, a pool of 100 points of extra credit will be shared among all students who quote this sentence in a message to the instructors within 72 hours of the first class. Since these points will be divided among those who do so, it would benefit you most to keep this to yourself. Consider it a reward for reading all the course materials carefully.

Take Care of Yourself: 

Do your best to maintain a healthy lifestyle this semester by eating well, exercising, avoiding drugs and alcohol, getting enough sleep and taking some time to relax. This will help you achieve your goals and cope with stress.

 

All of us benefit from support during times of struggle. You are not alone. There are many helpful resources available on campus and an important part of the college experience is learning how to ask for help. Asking for support sooner rather than later is often helpful.

 

If you or anyone you know experiences any academic stress, difficult life events, or feelings like anxiety or depression, we strongly encourage you to seek support. Counseling and Psychological Services (CaPS) is here to help: call 412-268-2922 and visit their website at http://www.cmu.edu/counseling/.  Consider reaching out to a friend, faculty or family member you trust for help getting connected to the support that can help.


CMU Academic Integrity Policy:

(https://www.cmu.edu/policies/student-and-student-life/academic-integrity.html)

The INI academic integrity policy can be found in the INI Student Handbook:
(http://www.ini.cmu.edu/current_students/handbook/ , section IV, subsection III)

The INI adheres to Carnegie Mellon University’s Policy on Academic Integrity. The policy includes the University expectations around academic integrity and provides definitions of cheating, plagiarism, and unauthorized assistance. A review of the University’s Academic Disciplinary Actions procedures is also recommended. These procedures outline the process for investigating, reporting, and adjudicating violations of the University Policy on Academic Integrity, in addition to the appeal process. Students are responsible for reviewing and understanding the University policies below:

University Academic Disciplinary Actions procedures:
https://www.cmu.edu/student-affairs/ocsi/students/undergrad%20responding/revised-ai-procedures19-20.pdf 

In addition to the university and college-level policies, it is the INI’s policy that an INI student is not permitted to drop the course in which the academic integrity violation occurred. The INI may recommend additional sanctions beyond course-level action.

This policy applies, in all respects, to this course.


[1] Course objective #2

[2] Course objective #1

[3]