• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today!



Page history last edited by Patrick 2 years, 1 month ago

CET4862 Network Forensics and Incident Response




  • This is a hands-on course that covers security incidents and intrusions, including identifying and categorizing incidents; responding to incidents; log analysis; malware analysis; capturing volatile information; network traffic analysis; honeypots and honeynets; open source tools for incident response; creating an incident response team, and ethics in a digital investigation. 



  • CIS4360 (Computer and Network Security or Applied Cybersecurity).


Start here!: 




There is no physical classroom for this course. To check attendance you are to complete the Syllabus quiz by the assigned due date.  Please read the syllabus prior to taking the quiz.  If you fail to complete the quiz prior to the indicated due date you will be counted as "not attending," which may affect any financial aid you may be receiving.


BSIT Curriculum

Here's the new curriculum (2016) for our BS in IT degree at Daytona State College.


This course is taught at Daytona State College as part of the Engineering Technology program.  




Why learn Incident Response?


Do your future plans involve working in IT? I'm assuming they are, as this course is geared toward students who will work in some area of IT, whether as a network, systems, or security administrator, or even management. The following is a description of an 'incident' from the NIST Incident Response Guide:


"In general, an incident is a violation of computer security policies, acceptable use policies, or standard computer security practices.  Examples of incidents are—

  • A distributed denial of service attack against a public Web server 
  • A worm that infects hundreds of workstations on a network and effectively shuts down 
  • the network 
  • An attacker who gains remote administrator-level access to an e-mail server 
  • A user who downloads password cracking tools 
  • A user who defaces another organization’s public Web site."


"Incidents" occur on a daily basis at every organization. "Perpetrators" of incidents can range from the disgruntled employee, to nation states.  Consequences of incidents range from the banal (Suzy looked at Timmy's document) to intellectual property theft to online business/organizations unable to function.  


So why learn incident response? Because if you are to work as a network/systems/security administrator you WILL encounter them.  Don't wait to learn 'on-the-job,' learn here in a nice, cozy, protected environment, where you can make mistakes, learn from them, and NOT GET FIRED. :)


If this is the first time reading this page make sure you read the ENTIRE page first! Then you can jump into the downloads below. 


Major Topics Covered in This Course

  • Installing VMWare
  • Malware forensics
  • Forensic imaging over a network
  • Network forensics
  • Working with a list of known file hashes
  • Host-based intrusion detection
  • Honeypots 
  • Identifying Indicators of an Intrusion
  • Ethics in forensics investigations 


Course Outcomes


By the end of this course the successful student will be able to:


1. Students will be able identify INFOSEC principles, various types of incidents, investigative steps, and possible outcomes.

2. Students will be able to perform analysis of real malware, including static and dynamic analysis.

3. Students will be able to recover volatile information from a running computer.

4. Students will be able to describe steganography, identify a stego file, and recover the hidden message.

5. Students will be able to identify procedures used in network forensics, identify major components of TCP/IP, and use a network monitoring tool (Wireshark) to identify normal and abnormal traffic (syn scans, password guessing, downloading of protected intellectual property, SQL injection, buffer overflow).

6. Students will be able to identify differences between network intrusion detection systems, and host-based intrusion detection systems, including identifying the structure and configuration of the latter.

7. Students will be able to identify the uses and various levels of interaction involved in the deployment and analysis of a honeypot.

8. Students will perform an incident response on a live system, including gathering and analyzing evidence from log files, emails, system configuration files, and 'employee' directories. 




All required readings will be provided.  Readings include governmental publications, the professor’s published work in the related topics, and web readings.  The two major readings will be:




These are free publications that I’ve uploaded on the website.  There are additional readings as well.


Readings are normally available in PDF format. If you don’t have a PDF reader, I suggest you download Foxit Reader (free for Windows). You can download Foxit Reader at:  http://www.foxitsoftware.com/pdf/reader/


Course Lectures


Click here to view All Course Lectures


Course lectures are usually 10-30 minutes long, and are in MP4 format.  More information is available or individual lectures in the link above.


I suggest you save each lecture to your hard drive so you may access it anytime. Pause when you need to. Replay when you need to.  Have you ever tried doing that in a 'live' class?  Maybe a couple of times, but now YOU are in control.


Also, an analogy: I bought Tiger Woods' book on golf. Read the whole thing cover to cover. Now I can play golf just like Tiger. Nope.  Have to practice, again and again and again. Same thing goes for this class. Can't learn Linux by just watching a lecture. You MUST practice, as much as possible.  I highly suggest that while watching the video you have your Linux virtual machine running. Pause the video when I run a command. Run the command, see what it does.  Start the video, and repeat.  


You may ask: "Why are your videos so much shorter than a regular class?"  Have you ever seen a recording of a regular class?  Most of it is 'dead space,' nothing being said, idle chit chat, etc.  My lectures are intentionally 'dense' with material.  Take a 1.5 hour lecture, remove extraneous information, pauses, chit chat, dead space, and voila -- a condensed version that is 10-30 minutes. The 'Cliff Notes' of lectures (you young people may have to Google that).  


It takes more time to edit my videos than record them.  The condensed version allows you use YOUR time more wisely.  There's no sense in doing it any other way. You're welcome. :)



Certificate in Cybersecurity and Cyberforensics


If you are in the BSIT program then this is a great opportunity for you to earn the new Cybersecurity and Cyberforensics certiciate. Here's the link that explains more.



The certificate consists of six courses: Linux administration, Computer and Network Security, Security Methods and Practices, Introduction to Digital Forensics, Advanced Digital Forensics, and Network Forensics and Incident Response.

I've taught these courses since 2006, all were developed while I was at UCF, and the forensics courses were part of the Master's of Science in Digital Forensics I developed while at UCF. Of course I've modified them for the BS.

The courses are VERY hands on.   In these courses you learn the theory but then apply what you've learned in hands-on assignments.  I've received great reviews from students about these courses, and several of my students who have gone on to work for large companies now come back to Daytona State looking for students who have excelled at these courses.

The great thing about the certificate is that we cover topics that we KNOW will be important in IT for the future.  If you read anything on the internet you know that security is becoming (and actually has been) critical to our nation's security and economy.  This pretty much guarantees job security.

If you need further information please click on the link above or contact me.



Comments (0)

You don't have permission to comment on this page.